@opensecurity/zonzon-core 0.1.0

package/src/dns-handler.ts

@@ -0,0 +1,355 @@
+import dgram, { RemoteInfo } from "dgram";
+import * as net from "net";
+import { DevDnsServer, DnsWireFormat, extractQuestions } from "./dns-service.js";
+import { ServerConfig, DNS_RCODE } from "./types.js";
+import { RateLimiter } from "./rate-limiter.js";
+import { audit } from "./audit.js";
+import { firewallEngine } from "./firewall.js";
+
+const MAX_TCP_BUFFER_SIZE = 64 * 1024; 
+
+export class DnsHandler {
+  private server: DevDnsServer;
+  private udpServer: dgram.Socket | null = null;
+  private tcpServer: net.Server | null = null;
+  private port: number;
+  private fallbackDns: string | undefined;
+  private config: ServerConfig;
+
+  private activeTcpConnections = new Map<net.Socket, { timeoutId?: ReturnType<typeof setTimeout> }>();
+  private maxTcpConnections: number;
+  private tcpIdleTimeoutMs: number;
+
+  private rateLimiter: RateLimiter | null;
+
+  constructor(server: DevDnsServer, config: ServerConfig) {
+    this.server = server;
+    this.config = config;
+    this.port = config.port;
+    this.fallbackDns = config.fallbackDns;
+    this.maxTcpConnections = config.maxTcpConnections ?? 100;
+    this.tcpIdleTimeoutMs = config.tcpIdleTimeoutMs ?? 30000;
+
+    if (config.rateLimitMaxRequests && config.rateLimitMaxRequests > 0) {
+      this.rateLimiter = new RateLimiter({
+        maxRequests: config.rateLimitMaxRequests,
+        windowMs: config.rateLimitWindowMs ?? 1000,
+      });
+    } else {
+      this.rateLimiter = null;
+    }
+  }
+
+  async start(): Promise<void> {
+    await this.startUdp();
+    await this.startTcp();
+  }
+
+  async stop(): Promise<void> {
+    if (this.udpServer) {
+      await new Promise<void>((resolve) => {
+        this.udpServer?.close(() => resolve());
+      });
+      this.udpServer = null;
+    }
+    if (this.tcpServer) {
+      await new Promise<void>((resolve) => {
+        this.tcpServer?.close(() => resolve());
+      });
+      this.tcpServer = null;
+    }
+  }
+
+  private startUdp(): Promise<void> {
+    return new Promise((resolve, reject) => {
+      const udp = dgram.createSocket("udp4");
+
+      udp.on("message", (data: Buffer, rinfo: RemoteInfo) => {
+        this.handleUdpMessage(data, rinfo);
+      });
+
+      udp.on("error", (err: NodeJS.ErrnoException) => {
+        if (err.code === "EACCES" || err.code === "EADDRINUSE") {
+          reject(err);
+        }
+      });
+
+      udp.on("listening", () => {
+        try { udp.setRecvBufferSize(1024 * 1024); } catch {}
+        this.udpServer = udp;
+        resolve();
+      });
+
+      udp.bind(this.port, "0.0.0.0");
+    });
+  }
+
+  private startTcp(): Promise<void> {
+    return new Promise((resolve) => {
+      const tcpServer = net.createServer((socket: net.Socket) => {
+        if (this.activeTcpConnections.size >= this.maxTcpConnections) {
+          socket.destroy();
+          return;
+        }
+
+        this.activeTcpConnections.set(socket, { timeoutId: undefined });
+
+        socket.setTimeout(this.tcpIdleTimeoutMs);
+        socket.on("timeout", () => {
+          this.removeTcpConnection(socket);
+          socket.destroy();
+        });
+
+        this.handleTcpConnection(socket);
+      });
+
+      tcpServer.on("close", () => {
+        for (const [socket] of this.activeTcpConnections) {
+          if (!socket.destroyed) socket.destroy();
+        }
+        this.activeTcpConnections.clear();
+      });
+
+      tcpServer.on("listening", () => {
+        this.tcpServer = tcpServer;
+        resolve();
+      });
+
+      tcpServer.listen(this.port, "0.0.0.0");
+    });
+  }
+
+  private isRateLimited(ip: string): boolean {
+    if (!this.rateLimiter) return false;
+    return !this.rateLimiter.allow(ip);
+  }
+
+  private parseResolvedIpv4s(resp: Buffer): string[] {
+    const ips: string[] = []; 
+    try {
+      const f = new DnsWireFormat(resp); 
+      f.offset = 4;
+      const qd = f.readUint16();
+      const an = f.readUint16(); 
+      f.offset += 4;
+      
+      for (let i = 0; i < qd; i++) { 
+        f.readDomainName(); 
+        f.offset += 4; 
+      }
+      
+      for (let i = 0; i < an; i++) {
+        f.readDomainName(); 
+        const type = f.readUint16(); 
+        f.offset += 6;
+        const len = f.readUint16();
+        if (type === 1 && len === 4) {
+          ips.push(`${resp[f.offset]}.${resp[f.offset+1]}.${resp[f.offset+2]}.${resp[f.offset+3]}`);
+        }
+        f.offset += len;
+      }
+    } catch {} 
+    return ips;
+  }
+
+  private forwardUdpQuery(data: Buffer, clientInfo: RemoteInfo): void {
+    if (!this.fallbackDns || !this.udpServer) return;
+
+    const fwdSocket = dgram.createSocket("udp4");
+    let handled = false;
+
+    const timeout = setTimeout(() => {
+      if (!handled) {
+        handled = true;
+        fwdSocket.close();
+        const ref = this.server.generateErrorResponse(data, DNS_RCODE.SERVFAIL);
+        this.udpServer?.send(ref, 0, ref.length, clientInfo.port, clientInfo.address);
+      }
+    }, 3000);
+
+    fwdSocket.on("message", (resp) => {
+      if (!handled) {
+        handled = true;
+        clearTimeout(timeout);
+        
+        const ips = this.parseResolvedIpv4s(resp);
+        let blockedIp = null;
+        
+        for (const ip of ips) {
+          if (firewallEngine.evaluateIp(ip, this.config.firewall) === "DENY") {
+            blockedIp = ip;
+            break;
+          }
+        }
+
+        if (blockedIp) {
+          const ref = this.server.generateErrorResponse(data, DNS_RCODE.REFUSED);
+          this.udpServer?.send(ref, 0, ref.length, clientInfo.port, clientInfo.address);
+        } else {
+          this.udpServer?.send(resp, 0, resp.length, clientInfo.port, clientInfo.address);
+        }
+        fwdSocket.close();
+      }
+    });
+
+    fwdSocket.on("error", (err) => {
+      if (!handled) {
+        handled = true;
+        clearTimeout(timeout);
+        fwdSocket.close();
+        const ref = this.server.generateErrorResponse(data, DNS_RCODE.SERVFAIL);
+        this.udpServer?.send(ref, 0, ref.length, clientInfo.port, clientInfo.address);
+      }
+    });
+
+    fwdSocket.send(data, 0, data.length, 53, this.fallbackDns);
+  }
+
+  private handleUdpMessage(data: Buffer, rinfo: RemoteInfo): void {
+    if (this.isRateLimited(rinfo.address)) {
+      return;
+    }
+
+    try {
+      const response = this.server.resolve(data, rinfo.address);
+      if (response) {
+        if (response.length > 0) {
+          this.udpServer?.send(response, 0, response.length, rinfo.port, rinfo.address);
+        }
+      } else {
+        if (this.fallbackDns) {
+          this.forwardUdpQuery(data, rinfo);
+        } else {
+          const nx = this.server.generateErrorResponse(data, DNS_RCODE.NXDOMAIN);
+          this.udpServer?.send(nx, 0, nx.length, rinfo.port, rinfo.address);
+        }
+      }
+    } catch (err) {
+    }
+  }
+
+  private removeTcpConnection(socket: net.Socket): void {
+    const entry = this.activeTcpConnections.get(socket);
+    if (entry?.timeoutId) clearTimeout(entry.timeoutId);
+    this.activeTcpConnections.delete(socket);
+  }
+
+  private forwardTcpQuery(query: Buffer, clientSocket: net.Socket, peerAddr: string): void {
+    if (!this.fallbackDns) return;
+
+    const fwd = net.createConnection(53, this.fallbackDns, () => {
+      const prefixed = Buffer.alloc(2 + query.length);
+      prefixed.writeUInt16BE(query.length, 0);
+      query.copy(prefixed, 2);
+      fwd.write(prefixed);
+    });
+
+    fwd.on("data", (data) => {
+      if (data.length < 2) return;
+      const resp = data.subarray(2);
+      
+      const ips = this.parseResolvedIpv4s(resp);
+      let blockedIp = null;
+      
+      for (const ip of ips) {
+        if (firewallEngine.evaluateIp(ip, this.config.firewall) === "DENY") {
+          blockedIp = ip;
+          break;
+        }
+      }
+
+      if (blockedIp) {
+        if (!clientSocket.destroyed) {
+          const ref = this.server.generateErrorResponse(query, DNS_RCODE.REFUSED);
+          const p = Buffer.alloc(2 + ref.length);
+          p.writeUInt16BE(ref.length, 0);
+          ref.copy(p, 2);
+          clientSocket.write(p);
+          clientSocket.end();
+        }
+      } else {
+        if (!clientSocket.destroyed) clientSocket.write(data);
+      }
+    });
+
+    fwd.on("end", () => {
+      if (!clientSocket.destroyed) clientSocket.end();
+    });
+
+    fwd.on("error", (err) => {
+      if (!clientSocket.destroyed) {
+        const sf = this.server.generateErrorResponse(query, DNS_RCODE.SERVFAIL);
+        const p = Buffer.alloc(2 + sf.length);
+        p.writeUInt16BE(sf.length, 0);
+        sf.copy(p, 2);
+        clientSocket.write(p);
+        clientSocket.end();
+      }
+    });
+  }
+
+  private handleTcpConnection(socket: net.Socket): void {
+    let buffer = Buffer.alloc(0);
+    const peerAddr = socket.remoteAddress || "unknown";
+
+    socket.on("close", () => this.removeTcpConnection(socket));
+    socket.on("error", (err) => {
+      this.removeTcpConnection(socket);
+    });
+
+    if (this.isRateLimited(peerAddr)) {
+      socket.destroy();
+      return;
+    }
+
+    socket.on("data", (data: Buffer) => {
+      if (buffer.length + data.length > MAX_TCP_BUFFER_SIZE) {
+        socket.destroy();
+        return;
+      }
+
+      const combined = Buffer.concat([buffer, data]);
+      buffer = combined;
+
+      while (buffer.length >= 2) {
+        const length = buffer.readUInt16BE(0);
+
+        if (buffer.length < 2 + length) continue; 
+
+        const query = buffer.subarray(2, 2 + length);
+        buffer = buffer.subarray(2 + length);
+
+        try {
+          const response = this.server.resolve(query, peerAddr);
+          if (response) {
+            if (response.length > 0) {
+              const prefixed = Buffer.alloc(2 + response.length);
+              prefixed.writeUInt16BE(response.length, 0);
+              response.copy(prefixed, 2);
+              socket.write(prefixed);
+            } else {
+              socket.end();
+            }
+          } else {
+            if (this.fallbackDns) {
+              this.forwardTcpQuery(query, socket, peerAddr);
+            } else {
+              const nx = this.server.generateErrorResponse(query, DNS_RCODE.NXDOMAIN);
+              const p = Buffer.alloc(2 + nx.length);
+              p.writeUInt16BE(nx.length, 0);
+              nx.copy(p, 2);
+              socket.write(p);
+              socket.end();
+            }
+          }
+        } catch (err) {
+          socket.end();
+        }
+      }
+    });
+  }
+
+  getPort(): number {
+    return this.port;
+  }
+}

package/src/dns-service.test.ts

@@ -0,0 +1,371 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import { DevDnsServer } from "./dns-service.js";
+import { ServerConfig, DNS_TYPES, DNS_RCODE } from "./types.js";
+
+function buildQuery(name: string, type: number): Buffer {
+  const encoder = new (class {
+    buf = Buffer.alloc(256);
+    offset = 0;
+
+    writeUint16(v: number) {
+      this.buf.writeUInt16BE(v, this.offset);
+      this.offset += 2;
+    }
+
+    writeUint8(v: number) {
+      this.buf.writeUInt8(v, this.offset);
+      this.offset += 1;
+    }
+
+    writeDomainName(name: string) {
+      for (const label of name.split(".")) {
+        if (label.length === 0) continue;
+        this.writeUint8(label.length);
+        Buffer.from(label).copy(this.buf, this.offset);
+        this.offset += label.length;
+      }
+      this.writeUint8(0);
+    }
+
+    finish(): Buffer {
+      return this.buf.subarray(0, this.offset);
+    }
+  })();
+
+  encoder.writeUint16(0x1234); 
+  encoder.writeUint16(0x0100); 
+  encoder.writeUint16(1); 
+  encoder.writeUint16(0); 
+  encoder.writeUint16(0); 
+  encoder.writeUint16(0); 
+
+  encoder.writeDomainName(name);
+  encoder.writeUint16(type);
+  encoder.writeUint16(1); 
+
+  return encoder.finish();
+}
+
+function buildMalformedQuery(): Buffer {
+  return Buffer.from([0x12, 0x34]); 
+}
+
+function parseResponseFlags(buf: Buffer): { qr: number; rcode: number; id: number } {
+  const id = buf.readUInt16BE(0);
+  const flags = buf.readUInt16BE(2);
+  const qr = (flags >> 15) & 0x1;
+  const rcode = flags & 0xf;
+  return { id, qr, rcode };
+}
+
+function getAnswerCount(buf: Buffer): number {
+  return buf.readUInt16BE(6);
+}
+
+describe("DevDnsServer - Baseline Tests", () => {
+  let server: DevDnsServer;
+
+  it("returns A record with matching ID and NOERROR for configured host", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "test.loop": {
+          records: [{ type: "A", address: "127.0.0.1" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("test.loop", DNS_TYPES.A);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { id, qr, rcode } = parseResponseFlags(response);
+    assert.strictEqual(id, 0x1234);
+    assert.strictEqual(qr, 1);
+    assert.strictEqual(rcode, DNS_RCODE.NOERROR);
+
+    const ancount = getAnswerCount(response);
+    assert.ok(ancount >= 1);
+  });
+
+  it("returns NXDOMAIN for unconfigured host", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {},
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("notexist.loop", DNS_TYPES.A);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { id, qr, rcode } = parseResponseFlags(response);
+    assert.strictEqual(id, 0x1234);
+    assert.strictEqual(qr, 1);
+    assert.strictEqual(rcode, DNS_RCODE.NXDOMAIN);
+  });
+
+  it("returns CNAME record when configured", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "alias.loop": {
+          records: [{ type: "CNAME", target: "target.loop" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("alias.loop", DNS_TYPES.CNAME);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { qr, rcode } = parseResponseFlags(response);
+    assert.strictEqual(qr, 1);
+    assert.strictEqual(rcode, DNS_RCODE.NOERROR);
+
+    const ancount = getAnswerCount(response);
+    assert.ok(ancount >= 1);
+  });
+
+  it("returns TXT record when configured", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "txt.loop": {
+          records: [{ type: "TXT", data: ["v=spf1 include:_example.com ~all"] }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("txt.loop", DNS_TYPES.TXT);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { qr } = parseResponseFlags(response);
+    assert.strictEqual(qr, 1);
+
+    const ancount = getAnswerCount(response);
+    assert.ok(ancount >= 1);
+  });
+
+  it("rejects malformed (too short) query packets", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "test.loop": {
+          records: [{ type: "A", address: "127.0.0.1" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const malformed = buildMalformedQuery();
+    const response = server.resolve(malformed)!;
+
+    assert.strictEqual(response.length, 0);
+  });
+
+  it("rejects packets that are DNS responses (QR=1)", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "test.loop": {
+          records: [{ type: "A", address: "127.0.0.1" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const encoder = new (class {
+      buf = Buffer.alloc(256);
+      offset = 0;
+
+      writeUint16(v: number) {
+        this.buf.writeUInt16BE(v, this.offset);
+        this.offset += 2;
+      }
+
+      writeDomainName(name: string) {
+        for (const label of name.split(".")) {
+          if (label.length === 0) continue;
+          this.writeUint8(label.length);
+          Buffer.from(label).copy(this.buf, this.offset);
+          this.offset += label.length;
+        }
+        this.writeUint8(0);
+      }
+
+      writeUint8(v: number) {
+        this.buf.writeUInt8(v, this.offset);
+        this.offset += 1;
+      }
+
+      finish(): Buffer {
+        return this.buf.subarray(0, this.offset);
+      }
+    })();
+
+    encoder.writeUint16(0xdead);
+    encoder.writeUint16(0x8100); 
+    encoder.writeUint16(1);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeDomainName("test.loop");
+    encoder.writeUint16(DNS_TYPES.A);
+    encoder.writeUint16(1);
+
+    const response = server.resolve(encoder.finish())!;
+    assert.strictEqual(response.length, 0);
+  });
+
+  it("does not process queries with RD=0 (recursion not desired)", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "test.loop": {
+          records: [{ type: "A", address: "127.0.0.1" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const encoder = new (class {
+      buf = Buffer.alloc(256);
+      offset = 0;
+
+      writeUint16(v: number) {
+        this.buf.writeUInt16BE(v, this.offset);
+        this.offset += 2;
+      }
+
+      writeDomainName(name: string) {
+        for (const label of name.split(".")) {
+          if (label.length === 0) continue;
+          this.writeUint8(label.length);
+          Buffer.from(label).copy(this.buf, this.offset);
+          this.offset += label.length;
+        }
+        this.writeUint8(0);
+      }
+
+      writeUint8(v: number) {
+        this.buf.writeUInt8(v, this.offset);
+        this.offset += 1;
+      }
+
+      finish(): Buffer {
+        return this.buf.subarray(0, this.offset);
+      }
+    })();
+
+    encoder.writeUint16(0xbeef);
+    encoder.writeUint16(0x0000); 
+    encoder.writeUint16(1);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeDomainName("test.loop");
+    encoder.writeUint16(DNS_TYPES.A);
+    encoder.writeUint16(1);
+
+    const response = server.resolve(encoder.finish())!;
+    assert.strictEqual(response.length, 0);
+  });
+
+  it("handles multiple host lookups correctly (isolated hosts)", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "alpha.loop": {
+          records: [{ type: "A", address: "10.0.0.1" }],
+        },
+        "beta.loop": {
+          records: [{ type: "A", address: "10.0.0.2" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const alphaResponse = server.resolve(buildQuery("alpha.loop", DNS_TYPES.A))!;
+    assert.ok(alphaResponse.length > 0);
+    const { qr: qrAlpha } = parseResponseFlags(alphaResponse);
+    assert.strictEqual(qrAlpha, 1);
+
+    const betaResponse = server.resolve(buildQuery("beta.loop", DNS_TYPES.A))!;
+    assert.ok(betaResponse.length > 0);
+    const { qr: qrBeta } = parseResponseFlags(betaResponse);
+    assert.strictEqual(qrBeta, 1);
+  });
+
+  it("supports AAAA records", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "ipv6.loop": {
+          records: [{ type: "AAAA", address: "::1" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("ipv6.loop", DNS_TYPES.AAAA);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { qr } = parseResponseFlags(response);
+    assert.strictEqual(qr, 1);
+  });
+
+  it("supports MX records", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "mx.loop": {
+          records: [{ type: "MX", priority: 10, exchange: "mail.mx.loop" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("mx.loop", DNS_TYPES.MX);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { qr } = parseResponseFlags(response);
+    assert.strictEqual(qr, 1);
+  });
+
+  it("supports SRV records", async () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "srv.loop": {
+          records: [{ type: "SRV", priority: 10, weight: 5, port: 8080, target: "app.srv.loop" }],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("srv.loop", DNS_TYPES.SRV);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { qr } = parseResponseFlags(response);
+    assert.strictEqual(qr, 1);
+  });
+});