@opensecurity/zonzon-core 0.1.2 → 0.1.3

package/dist/audit.d.ts

@@ -0,0 +1,10 @@
+export declare class AuditLogger {
+    private isTestEnv;
+    private sanitize;
+    dns(ip: string, questions: any[], rcode: number, cached?: boolean): void;
+    firewall(ip: string, target: string, action: "ALLOW" | "DENY", detail?: string): void;
+    http(ip: string, method: string, host: string, path: string, status: number, target?: string): void;
+    system(msg: string): void;
+    error(msg: string): void;
+}
+export declare const audit: AuditLogger;

package/dist/audit.js

@@ -0,0 +1,39 @@
+import { DNS_TYPES } from "./types.js";
+const REVERSE_DNS_TYPES = Object.fromEntries(Object.entries(DNS_TYPES).map(([k, v]) => [v, k]));
+export class AuditLogger {
+    isTestEnv = process.argv.includes("--test") || process.env.NODE_ENV === "test";
+    sanitize(input) {
+        return String(input || "").replace(/[\r\n\t]/g, " ").replace(/[^\x20-\x7E]/g, "?");
+    }
+    dns(ip, questions, rcode, cached = false) {
+        if (this.isTestEnv)
+            return;
+        const codeMap = { 0: "Found (NOERROR)", 3: "Not Found (NXDOMAIN)", 5: "Blocked by Firewall (REFUSED)" };
+        const prefix = cached ? "[Cached] " : "";
+        questions.forEach(q => {
+            console.log(`[DNS] ${this.sanitize(ip)} | ${prefix}${REVERSE_DNS_TYPES[q.type] || q.type} ${this.sanitize(q.name)} -> ${codeMap[rcode] || rcode}`);
+        });
+    }
+    firewall(ip, target, action, detail = "") {
+        if (this.isTestEnv)
+            return;
+        const color = action === "ALLOW" ? "\x1b[32mALLOW\x1b[0m" : "\x1b[31mDENY\x1b[0m";
+        console.log(`[FIREWALL] ${this.sanitize(ip)} | ${color} | ${this.sanitize(target)} ${detail ? `(${this.sanitize(detail)})` : ""}`);
+    }
+    http(ip, method, host, path, status, target = "") {
+        if (this.isTestEnv)
+            return;
+        console.log(`[HTTP] ${this.sanitize(ip)} | Returned Status ${status} | ${this.sanitize(method)} ${this.sanitize(host)}${this.sanitize(path)} ${target ? `-> ${this.sanitize(target)}` : ""}`);
+    }
+    system(msg) {
+        if (this.isTestEnv)
+            return;
+        console.log(`[SYSTEM] ${this.sanitize(msg)}`);
+    }
+    error(msg) {
+        if (this.isTestEnv)
+            return;
+        console.error(`[ERROR] \x1b[31m${this.sanitize(msg)}\x1b[0m`);
+    }
+}
+export const audit = new AuditLogger();

package/dist/cache-layer.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cache-layer.test.js

@@ -0,0 +1,205 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import { DevDnsServer } from "./dns-service.js";
+import { DNS_TYPES } from "./types.js";
+function buildQuery(name, type) {
+    const encoder = new (class {
+        buf = Buffer.alloc(256);
+        offset = 0;
+        writeUint16(v) {
+            this.buf.writeUInt16BE(v, this.offset);
+            this.offset += 2;
+        }
+        writeUint8(v) {
+            this.buf.writeUInt8(v, this.offset);
+            this.offset += 1;
+        }
+        writeDomainName(nm) {
+            for (const label of nm.split(".")) {
+                if (label.length === 0)
+                    continue;
+                this.writeUint8(label.length);
+                Buffer.from(label).copy(this.buf, this.offset);
+                this.offset += label.length;
+            }
+            this.writeUint8(0);
+        }
+        finish() {
+            return this.buf.subarray(0, this.offset);
+        }
+    })();
+    encoder.writeUint16(0x5678);
+    encoder.writeUint16(0x0100);
+    encoder.writeUint16(1);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeDomainName(name);
+    encoder.writeUint16(type);
+    encoder.writeUint16(1);
+    return encoder.finish();
+}
+function parseResponseFlags(buf) {
+    const flags = buf.readUInt16BE(2);
+    const qr = (flags >> 15) & 0x1;
+    const rcode = flags & 0xf;
+    return { qr, rcode };
+}
+function getTtlFromResponse(buf) {
+    const ancount = buf.readUInt16BE(6);
+    if (ancount === 0)
+        return null;
+    let offset = 12;
+    while (offset < buf.length && buf[offset] !== 0) {
+        const len = buf[offset];
+        if ((len & 0xc0) === 0xc0)
+            break;
+        offset += len + 1;
+    }
+    offset += 5;
+    if (offset + 4 > buf.length)
+        return null;
+    return buf.readUInt32BE(offset);
+}
+describe("DevDnsServer - Cache Layer", () => {
+    let server;
+    it("caches responses when cache is enabled with TTL", async () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 5000,
+            hosts: {
+                "cached.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const queryBuffer = buildQuery("cached.loop", DNS_TYPES.A);
+        const firstResponse = server.resolve(queryBuffer);
+        assert.ok(firstResponse.length > 0);
+        const ttl1 = getTtlFromResponse(firstResponse);
+        assert.ok(ttl1 !== null && ttl1 >= 5);
+        await new Promise((resolve) => setTimeout(resolve, 200));
+        const secondResponse = server.resolve(queryBuffer);
+        assert.ok(secondResponse.length > 0);
+        const { qr: qr1, rcode: rc1 } = parseResponseFlags(firstResponse);
+        const { qr: qr2, rcode: rc2 } = parseResponseFlags(secondResponse);
+        assert.strictEqual(qr1, qr2);
+        assert.strictEqual(rc1, rc2);
+        const ttl2 = getTtlFromResponse(secondResponse);
+        assert.ok(ttl2 !== null);
+        assert.ok(ttl2 <= ttl1);
+    });
+    it("returns expired cache entries as stale", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 50,
+            hosts: {
+                "short-lived.loop": { records: [{ type: "A", address: "10.0.0.1" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const queryBuffer = buildQuery("short-lived.loop", DNS_TYPES.A);
+        server.resolve(queryBuffer);
+        return new Promise((resolve) => {
+            setTimeout(() => {
+                const expiredResponse = server.resolve(queryBuffer);
+                assert.ok(expiredResponse.length > 0);
+                const { rcode } = parseResponseFlags(expiredResponse);
+                assert.strictEqual(rcode, 0);
+                resolve();
+            }, 100);
+        });
+    });
+    it("enforces cache size limit by evicting oldest entries", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 3,
+            dnsCacheTtlMs: 10000,
+            hosts: {
+                "one.loop": { records: [{ type: "A", address: "1.1.1.1" }] },
+                "two.loop": { records: [{ type: "A", address: "2.2.2.2" }] },
+                "three.loop": { records: [{ type: "A", address: "3.3.3.3" }] },
+                "four.loop": { records: [{ type: "A", address: "4.4.4.4" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        server.resolve(buildQuery("one.loop", DNS_TYPES.A));
+        server.resolve(buildQuery("two.loop", DNS_TYPES.A));
+        server.resolve(buildQuery("three.loop", DNS_TYPES.A));
+        server.resolve(buildQuery("four.loop", DNS_TYPES.A));
+        const r1 = server.resolve(buildQuery("one.loop", DNS_TYPES.A));
+        const r4 = server.resolve(buildQuery("four.loop", DNS_TYPES.A));
+        assert.ok(r1.length > 0 || r4.length > 0);
+    });
+    it("does not cache when cache is disabled (zero TTL)", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "no-cache.loop": { records: [{ type: "A", address: "9.9.9.9" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const queryBuffer = buildQuery("no-cache.loop", DNS_TYPES.A);
+        const resp1 = server.resolve(queryBuffer);
+        assert.ok(resp1.length > 0);
+        const resp2 = server.resolve(queryBuffer);
+        assert.ok(resp2.length > 0);
+    });
+    it("returns NXDOMAIN for unknown hosts without caching the negative result when cache is enabled", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 2000,
+            hosts: {},
+        };
+        server = new DevDnsServer(config);
+        const queryBuffer = buildQuery("nonexistent.loop", DNS_TYPES.A);
+        const response = server.resolve(queryBuffer);
+        assert.ok(response.length > 0);
+        const { rcode } = parseResponseFlags(response);
+        assert.strictEqual(rcode, 3);
+    });
+    it("caches multi-question queries separately per question", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 5000,
+            hosts: {
+                "a.loop": { records: [{ type: "A", address: "1.1.1.1" }] },
+                "b.loop": { records: [{ type: "A", address: "2.2.2.2" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const encoder = new (class {
+            buf = Buffer.alloc(512);
+            offset = 0;
+            writeUint16(v) { this.buf.writeUInt16BE(v, this.offset); this.offset += 2; }
+            writeUint8(v) { this.buf.writeUInt8(v, this.offset); this.offset += 1; }
+            writeDomainName(nm) { for (const label of nm.split(".")) {
+                if (label.length === 0)
+                    continue;
+                this.writeUint8(label.length);
+                Buffer.from(label).copy(this.buf, this.offset);
+                this.offset += label.length;
+            } this.writeUint8(0); }
+            finish() { return this.buf.subarray(0, this.offset); }
+        })();
+        encoder.writeUint16(0xAAAA);
+        encoder.writeUint16(0x0100);
+        encoder.writeUint16(2);
+        encoder.writeUint16(0);
+        encoder.writeUint16(0);
+        encoder.writeUint16(0);
+        encoder.writeDomainName("a.loop");
+        encoder.writeUint16(DNS_TYPES.A);
+        encoder.writeUint16(1);
+        encoder.writeDomainName("b.loop");
+        encoder.writeUint16(DNS_TYPES.A);
+        encoder.writeUint16(1);
+        const response = server.resolve(encoder.finish());
+        assert.ok(response.length > 0);
+    });
+});

package/dist/cache-multi-question.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cache-multi-question.test.js

@@ -0,0 +1,187 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import { DevDnsServer } from "./dns-service.js";
+import { DNS_TYPES, DNS_CLASSES } from "./types.js";
+describe("Multi-Question TTL Cache Rewriting", () => {
+    function buildMultiQuestionQuery(names, types) {
+        const encoder = new (class {
+            buf = Buffer.alloc(1024);
+            offset = 0;
+            writeUint16(v) {
+                this.buf.writeUInt16BE(v, this.offset);
+                this.offset += 2;
+            }
+            writeUint8(v) {
+                this.buf.writeUInt8(v, this.offset);
+                this.offset += 1;
+            }
+            writeDomainName(nm) {
+                for (const label of nm.split(".")) {
+                    if (label.length === 0)
+                        continue;
+                    this.writeUint8(label.length);
+                    Buffer.from(label).copy(this.buf, this.offset);
+                    this.offset += label.length;
+                }
+                this.writeUint8(0);
+            }
+            finish() {
+                return this.buf.subarray(0, this.offset);
+            }
+        })();
+        encoder.writeUint16(0xCAFE);
+        encoder.writeUint16(0x0100);
+        encoder.writeUint16(names.length);
+        encoder.writeUint16(0);
+        encoder.writeUint16(0);
+        encoder.writeUint16(0);
+        for (let i = 0; i < names.length; i++) {
+            encoder.writeDomainName(names[i]);
+            encoder.writeUint16(types[i] || DNS_TYPES.A);
+            encoder.writeUint16(DNS_CLASSES.IN);
+        }
+        return encoder.finish();
+    }
+    function extractAnswerTtls(response) {
+        const ttls = [];
+        const qdcount = response.readUInt16BE(4);
+        let offset = 12;
+        for (let i = 0; i < qdcount && offset < response.length; i++) {
+            while (offset < response.length) {
+                const len = response[offset];
+                if (len === 0) {
+                    offset++;
+                    break;
+                }
+                if ((len & 0xc0) === 0xc0) {
+                    offset += 2;
+                    break;
+                }
+                offset += 1 + len;
+            }
+            offset += 4;
+        }
+        const ancount = response.readUInt16BE(6);
+        for (let i = 0; i < ancount && offset + 8 <= response.length; i++) {
+            offset += 2;
+            offset += 2;
+            offset += 2;
+            ttls.push(response.readUInt32BE(offset));
+            offset += 4;
+            const rdlength = response.readUInt16BE(offset);
+            offset += 2 + rdlength;
+        }
+        return ttls;
+    }
+    it("rewrites TTL for all answer entries in a cached multi-question response", async () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 10000,
+            hosts: {
+                "alpha.loop": { records: [{ type: "A", address: "1.1.1.1" }] },
+                "beta.loop": { records: [{ type: "A", address: "2.2.2.2" }] },
+            },
+        };
+        const server = new DevDnsServer(config);
+        const query = buildMultiQuestionQuery(["alpha.loop", "beta.loop"], [DNS_TYPES.A, DNS_TYPES.A]);
+        const response1 = server.resolve(query);
+        assert.ok(response1.length > 0);
+        const ttlsAfterFirst = extractAnswerTtls(response1);
+        assert.strictEqual(ttlsAfterFirst.length, 2);
+        assert.ok(ttlsAfterFirst.every((t) => t > 0));
+        await new Promise((resolve) => setTimeout(resolve, 200));
+        const response2 = server.resolve(query);
+        assert.ok(response2.length > 0);
+        const ttlsAfterCacheHit = extractAnswerTtls(response2);
+        assert.strictEqual(ttlsAfterCacheHit.length, 2);
+        const originalTotalTtl = ttlsAfterFirst.reduce((a, b) => a + b, 0);
+        const cachedTotalTtl = ttlsAfterCacheHit.reduce((a, b) => a + b, 0);
+        assert.ok(cachedTotalTtl < originalTotalTtl);
+        assert.ok(ttlsAfterCacheHit.every((t) => t >= 0));
+    });
+    it("handles three-question multi-query without TTL corruption", async () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 10000,
+            hosts: {
+                "one.loop": { records: [{ type: "A", address: "1.0.0.1" }] },
+                "two.loop": { records: [{ type: "A", address: "1.0.0.2" }] },
+                "three.loop": { records: [{ type: "A", address: "1.0.0.3" }] },
+            },
+        };
+        const server = new DevDnsServer(config);
+        const query = buildMultiQuestionQuery(["one.loop", "two.loop", "three.loop"], [DNS_TYPES.A, DNS_TYPES.A, DNS_TYPES.A]);
+        const response1 = server.resolve(query);
+        assert.ok(response1.length > 0);
+        const ttlsAfterFirst = extractAnswerTtls(response1);
+        assert.strictEqual(ttlsAfterFirst.length, 3);
+        await new Promise((resolve) => setTimeout(resolve, 300));
+        const response2 = server.resolve(query);
+        assert.ok(response2.length > 0);
+        const ttlsAfterCache = extractAnswerTtls(response2);
+        assert.strictEqual(ttlsAfterCache.length, 3);
+        const maxTtl = config.dnsCacheTtlMs / 1000;
+        for (const ttl of ttlsAfterCache) {
+            assert.ok(ttl >= 0 && ttl <= maxTtl);
+        }
+    });
+    it("does not corrupt question data when rewriting TTL in multi-question response", async () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 10000,
+            hosts: {
+                "a.loop": { records: [{ type: "A", address: "1.2.3.4" }] },
+                "b.loop": { records: [{ type: "A", address: "5.6.7.8" }] },
+            },
+        };
+        const server = new DevDnsServer(config);
+        const query = buildMultiQuestionQuery(["a.loop", "b.loop"], [DNS_TYPES.A, DNS_TYPES.A]);
+        const originalResponse = server.resolve(query);
+        assert.ok(originalResponse.length > 0);
+        const originalBytes = Buffer.from(originalResponse);
+        await new Promise((resolve) => setTimeout(resolve, 150));
+        const cachedResponse = server.resolve(query);
+        assert.ok(cachedResponse.length > 0);
+        assert.strictEqual(cachedResponse.readUInt16BE(6), originalResponse.readUInt16BE(6));
+        assert.strictEqual(cachedResponse.length, originalBytes.length);
+        const origQdcount = originalResponse.readUInt16BE(4);
+        const cacheQdcount = cachedResponse.readUInt16BE(4);
+        assert.strictEqual(origQdcount, cacheQdcount);
+        const origAncount = originalResponse.readUInt16BE(6);
+        const cacheAncount = cachedResponse.readUInt16BE(6);
+        assert.strictEqual(origAncount, cacheAncount);
+        const origTtls = extractAnswerTtls(originalResponse);
+        const cacheTtls = extractAnswerTtls(cachedResponse);
+        for (let i = 0; i < origTtls.length; i++) {
+            assert.ok(cacheTtls[i] <= origTtls[i]);
+        }
+    });
+    it("handles multi-question with mismatched record types", async () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 10000,
+            hosts: {
+                "a.loop": { records: [{ type: "A", address: "1.2.3.4" }] },
+                "b.loop": { records: [{ type: "AAAA", address: "::1" }] },
+            },
+        };
+        const server = new DevDnsServer(config);
+        const query = buildMultiQuestionQuery(["a.loop", "b.loop"], [DNS_TYPES.A, DNS_TYPES.AAAA]);
+        const response1 = server.resolve(query);
+        assert.ok(response1.length > 0);
+        const ttlsFirst = extractAnswerTtls(response1);
+        assert.strictEqual(ttlsFirst.length, 2);
+        await new Promise((resolve) => setTimeout(resolve, 100));
+        const response2 = server.resolve(query);
+        assert.ok(response2.length > 0);
+        const ttlsCache = extractAnswerTtls(response2);
+        assert.strictEqual(ttlsCache.length, 2);
+        for (const ttl of ttlsCache) {
+            assert.ok(ttl >= 0);
+        }
+    });
+});

package/dist/dns-handler.d.ts

@@ -0,0 +1,27 @@
+import { DevDnsServer } from "./dns-service.js";
+import { ServerConfig } from "./types.js";
+export declare class DnsHandler {
+    private server;
+    private udpServer;
+    private tcpServer;
+    private port;
+    private fallbackDns;
+    private config;
+    private activeTcpConnections;
+    private maxTcpConnections;
+    private tcpIdleTimeoutMs;
+    private rateLimiter;
+    constructor(server: DevDnsServer, config: ServerConfig);
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    private startUdp;
+    private startTcp;
+    private isRateLimited;
+    private parseResolvedIpv4s;
+    private forwardUdpQuery;
+    private handleUdpMessage;
+    private removeTcpConnection;
+    private forwardTcpQuery;
+    private handleTcpConnection;
+    getPort(): number;
+}