dns2 2.1.0 → 2.3.0

package/packet.js

@@ -1,13 +1,33 @@
-const { debuglog } = require('util');
+const { debuglog } = require('node:util');
+const { randomInt } = require('node:crypto');
 const BufferReader = require('./lib/reader');
 const BufferWriter = require('./lib/writer');
 
 const debug = debuglog('dns2');
 
-const toIPv6 = buffer => buffer
-  .map(part => (part > 0 ? part.toString(16) : '0'))
-  .join(':')
-  .replace(/\b(?:0+:){1,}/, ':');
+// Canonical IPv6 text form per RFC 5952:
+//   - lower case hex, no leading zeros per group  (handled by toString(16))
+//   - the longest run of >= 2 zero groups is replaced with "::"
+//   - on ties, the first such run is chosen
+//   - a single zero group is NOT compressed
+const toIPv6 = buffer => {
+  const segments = buffer.map(part => (part > 0 ? part.toString(16) : '0'));
+  let bestStart = -1; let bestLen = 0;
+  let curStart = -1; let curLen = 0;
+  for (let i = 0; i < segments.length; i++) {
+    if (segments[i] === '0') {
+      if (curLen === 0) curStart = i;
+      curLen++;
+      if (curLen > bestLen) { bestLen = curLen; bestStart = curStart; }
+    } else {
+      curLen = 0;
+    }
+  }
+  if (bestLen < 2) return segments.join(':');
+  const before = segments.slice(0, bestStart).join(':');
+  const after = segments.slice(bestStart + bestLen).join(':');
+  return `${before}::${after}`;
+};
 
 const fromIPv6 = (address) => {
   const digits = address.split(':');
@@ -19,6 +39,13 @@ const fromIPv6 = (address) => {
   if (digits[digits.length - 1] === '') {
     digits.pop();
   }
+  // node js 10 does not support Array.prototype.flatMap
+  if (!Array.prototype.flatMap) {
+    Array.prototype.flatMap = function(f, ctx) {
+      return this.reduce((r, x, i, a) => r.concat(f.call(ctx, x, i, a)), []);
+    };
+  }
+
   // CAVEAT we have to take into account
   // the extra space used by the empty string
   const missingFields = 8 - digits.length + 1;
@@ -76,31 +103,32 @@ function Packet(data) {
  * @docs https://tools.ietf.org/html/rfc1035#section-3.2.2
  */
 Packet.TYPE = {
-  A     : 0x01,
-  NS    : 0x02,
-  MD    : 0x03,
-  MF    : 0x04,
-  CNAME : 0x05,
-  SOA   : 0x06,
-  MB    : 0x07,
-  MG    : 0x08,
-  MR    : 0x09,
-  NULL  : 0x0A,
-  WKS   : 0x0B,
-  PTR   : 0x0C,
-  HINFO : 0x0D,
-  MINFO : 0x0E,
-  MX    : 0x0F,
-  TXT   : 0x10,
-  AAAA  : 0x1C,
-  SRV   : 0x21,
-  EDNS  : 0x29,
-  SPF   : 0x63,
-  AXFR  : 0xFC,
-  MAILB : 0xFD,
-  MAILA : 0xFE,
-  ANY   : 0xFF,
-  CAA   : 0x101,
+  A      : 0x01,
+  NS     : 0x02,
+  MD     : 0x03,
+  MF     : 0x04,
+  CNAME  : 0x05,
+  SOA    : 0x06,
+  MB     : 0x07,
+  MG     : 0x08,
+  MR     : 0x09,
+  NULL   : 0x0A,
+  WKS    : 0x0B,
+  PTR    : 0x0C,
+  HINFO  : 0x0D,
+  MINFO  : 0x0E,
+  MX     : 0x0F,
+  TXT    : 0x10,
+  AAAA   : 0x1C,
+  SRV    : 0x21,
+  EDNS   : 0x29,
+  SPF    : 0x63,
+  AXFR   : 0xFC,
+  MAILB  : 0xFD,
+  MAILA  : 0xFE,
+  ANY    : 0xFF,
+  CAA    : 0x101,
+  DNSKEY : 0x30,
 };
 /**
  * [QUERY_CLASS description]
@@ -114,6 +142,19 @@ Packet.CLASS = {
   HS  : 0x04,
   ANY : 0xFF,
 };
+/**
+ * DNS response codes
+ * @type {Object}
+ * @docs https://tools.ietf.org/html/rfc1035#section-4.1.1
+ */
+Packet.RCODE = {
+  NOERROR  : 0,
+  FORMERR  : 1,
+  SERVFAIL : 2,
+  NXDOMAIN : 3,
+  NOTIMP   : 4,
+  REFUSED  : 5,
+};
 /**
  * [EDNS_OPTION_CODE description]
  * @type {Object}
@@ -124,11 +165,13 @@ Packet.EDNS_OPTION_CODE = {
 };
 
 /**
- * [uuid description]
- * @return {[type]} [description]
+ * Generate a cryptographically random 16-bit DNS transaction ID.
+ * RFC 5452 §3 — the full 16-bit space must be used from a CSPRNG to make
+ * response forgery / cache poisoning impractical.
+ * @return {number} integer in [0, 0xFFFF]
  */
 Packet.uuid = function() {
-  return Math.floor(Math.random() * 1e5);
+  return randomInt(0x10000);
 };
 
 /**
@@ -172,7 +215,6 @@ Object.defineProperty(Packet.prototype, 'recursive', {
   },
   set(yn) {
     this.header.rd = +yn;
-    return this.header.rd;
   },
 });
 
@@ -217,8 +259,11 @@ Packet.Header = function(header) {
   this.rd = 0;
   this.ra = 0;
   this.z = 0;
+  this.ad = 0;
+  this.cd = 0;
   this.rcode = 0;
   this.qdcount = 0;
+  this.ancount = 0;
   this.nscount = 0;
   this.arcount = 0;
   for (const k in header) {
@@ -244,7 +289,10 @@ Packet.Header.parse = function(reader) {
   header.tc = reader.read(1);
   header.rd = reader.read(1);
   header.ra = reader.read(1);
-  header.z = reader.read(3);
+  // RFC 4035 §3.2.3 repurposed the second and third Z bits as AD and CD.
+  header.z = reader.read(1);
+  header.ad = reader.read(1);
+  header.cd = reader.read(1);
   header.rcode = reader.read(4);
   header.qdcount = reader.read(16);
   header.ancount = reader.read(16);
@@ -266,7 +314,9 @@ Packet.Header.prototype.toBuffer = function(writer) {
   writer.write(this.tc, 1);
   writer.write(this.rd, 1);
   writer.write(this.ra, 1);
-  writer.write(this.z, 3);
+  writer.write(this.z, 1);
+  writer.write(this.ad, 1);
+  writer.write(this.cd, 1);
   writer.write(this.rcode, 4);
   writer.write(this.qdcount, 16);
   writer.write(this.ancount, 16);
@@ -379,9 +429,18 @@ Packet.Resource.encode = function(resource, writer) {
   })[0];
   if (encoder in Packet.Resource && Packet.Resource[encoder].encode) {
     return Packet.Resource[encoder].encode(resource, writer);
-  } else {
-    debug('node-dns > unknown encoder %s(%j)', encoder, resource.type);
   }
+  debug('node-dns > unknown encoder %s(%j)', encoder, resource.type);
+  // Fallback for unknown / decoder-only types: round-trip the raw RDATA the
+  // decoder preserved as `resource.data`. Without this, RDLENGTH and RDATA
+  // would be omitted entirely, truncating the wire format and corrupting any
+  // records that follow.
+  const data = Buffer.isBuffer(resource.data) ? resource.data : Buffer.alloc(0);
+  writer.write(data.length, 16);
+  for (const byte of data) {
+    writer.write(byte, 8);
+  }
+  return writer.toBuffer();
 };
 /**
  * [parse description]
@@ -425,11 +484,18 @@ Packet.Name = {
       reader = new Packet.Reader(reader);
     }
     const name = []; let o; let len = reader.read(8);
+    // Track each pointer target we follow. A crafted packet can chain
+    // pointers in a cycle; without this guard, decode would loop forever.
+    const visited = new Set();
     while (len) {
       if ((len & Packet.Name.COPY) === Packet.Name.COPY) {
         len -= Packet.Name.COPY;
         len = len << 8;
         const pos = len + reader.read(8);
+        if (visited.has(pos)) {
+          throw new Error('Name decode: pointer cycle detected');
+        }
+        visited.add(pos);
         if (!o) o = reader.offset;
         reader.offset = pos * 8;
         len = reader.read(8);
@@ -597,7 +663,7 @@ Packet.Resource.SPF =
 Packet.Resource.TXT = {
   decode: function(reader, length) {
     const parts = [];
-    let bytesRead = 0; let chunkLength = 0;
+    let bytesRead = 0; let chunkLength;
 
     while (bytesRead < length) {
       chunkLength = reader.read(8); // text length
@@ -708,19 +774,42 @@ Packet.Resource.SRV = {
   },
 };
 
-Packet.Resource.EDNS = function(rdata) {
+// RFC 6891 §6.1.3 — the OPT record's TTL field carries:
+//   bits  0- 7: extended RCODE (high byte of a 12-bit RCODE)
+//   bits  8-15: EDNS version
+//   bit   16:   DO (DNSSEC OK)
+//   bits 17-31: reserved Z, must be zero
+const ednsTtl = (extendedRcode, version, doFlag) =>
+  (((extendedRcode & 0xff) << 24) >>> 0)
+  | ((version & 0xff) << 16)
+  | (doFlag ? 0x8000 : 0);
+
+Packet.Resource.EDNS = function(rdata, opts = {}) {
+  const extendedRcode = opts.extendedRcode || 0;
+  const version = opts.version || 0;
+  const doFlag = !!opts.doFlag;
+  const udpPayloadSize = opts.udpPayloadSize || 512;
   return {
     type  : Packet.TYPE.EDNS,
-    class : 512, // Supported UDP Payload size
-    ttl   : 0, // Extended RCODE and flags
+    class : udpPayloadSize,
+    ttl   : ednsTtl(extendedRcode, version, doFlag),
+    extendedRcode,
+    version,
+    doFlag,
     rdata, // Objects of type Packet.Resource.EDNS.*
   };
 };
 
 Packet.Resource.EDNS.decode = function(reader, length) {
-  this.type = Packet.TYPE.EDNS;
-  this.class = 512;
-  this.ttl = 0;
+  // When invoked through Resource.parse, this.type/class/ttl are already set
+  // from the wire. Direct callers (e.g. unit tests) hit defaults instead.
+  this.type = this.type ?? Packet.TYPE.EDNS;
+  this.class = this.class ?? 512;
+  const ttl = this.ttl ?? 0;
+  this.ttl = ttl;
+  this.extendedRcode = (ttl >>> 24) & 0xff;
+  this.version = (ttl >>> 16) & 0xff;
+  this.doFlag = !!(ttl & 0x8000);
   this.rdata = [];
 
   while (length) {
@@ -785,35 +874,75 @@ Packet.Resource.EDNS.ECS.decode = function(reader, length) {
   rdata.scopePrefixLength = reader.read(8);
   length -= 4;
 
-  if (rdata.family !== 1) {
-    debug('node-dns > unimplemented address family');
-    reader.read(length * 8); // Ignore data that doesn't understand
-    return rdata;
+  if (rdata.family === 1) {
+    const ipv4Octets = [];
+    while (length--) {
+      const octet = reader.read(8);
+      ipv4Octets.push(octet);
+    }
+    while (ipv4Octets.length < 4) {
+      ipv4Octets.push(0);
+    }
+    rdata.ip = ipv4Octets.join('.');
   }
 
-  const ipv4Octets = [];
-  while (length--) {
-    const octet = reader.read(8);
-    ipv4Octets.push(octet);
-  }
-  while (ipv4Octets.length < 4) {
-    ipv4Octets.push(0);
+  if (rdata.family === 2) {
+    const ipv6Segments = [];
+    for (; length; length -= 2) {
+      const segment = reader.read(16).toString(16);
+      ipv6Segments.push(segment);
+    }
+    while (ipv6Segments.length < 8) {
+      ipv6Segments.push('0');
+    }
+    rdata.ip = ipv6Segments.join(':');
   }
-  rdata.ip = ipv4Octets.join('.');
+
   return rdata;
 };
 
 Packet.Resource.EDNS.ECS.encode = function(record, writer) {
-  const ip = record.ip.split('.').map(s => parseInt(s));
+  // RFC 7871 §6: the ADDRESS field carries only the leftmost
+  // ceil(sourcePrefixLength / 8) octets.
+  const octets = Math.ceil(record.sourcePrefixLength / 8);
   writer.write(record.family, 16);
   writer.write(record.sourcePrefixLength, 8);
   writer.write(record.scopePrefixLength, 8);
-  writer.write(ip[0], 8);
-  writer.write(ip[1], 8);
-  writer.write(ip[2], 8);
-  writer.write(ip[3], 8);
+  let bytes;
+  if (record.family === 1) {
+    bytes = record.ip.split('.').map(s => parseInt(s, 10) || 0);
+  } else if (record.family === 2) {
+    bytes = expandIPv6ToBytes(record.ip);
+  } else {
+    throw new Error(`EDNS.ECS encode: unsupported family ${record.family}`);
+  }
+  for (let i = 0; i < octets; i++) {
+    writer.write(bytes[i] || 0, 8);
+  }
 };
 
+// Expand a (possibly compressed) IPv6 text address into a 16-byte array.
+function expandIPv6ToBytes(address) {
+  let head, tail;
+  const idx = address.indexOf('::');
+  if (idx === -1) {
+    head = address.split(':');
+    tail = [];
+  } else {
+    head = address.slice(0, idx).split(':').filter(Boolean);
+    tail = address.slice(idx + 2).split(':').filter(Boolean);
+  }
+  const missing = 8 - head.length - tail.length;
+  const groups = [ ...head, ...new Array(missing).fill('0'), ...tail ];
+  const out = new Array(16).fill(0);
+  for (let g = 0; g < 8; g++) {
+    const n = parseInt(groups[g], 16) || 0;
+    out[g * 2] = (n >> 8) & 0xff;
+    out[g * 2 + 1] = n & 0xff;
+  }
+  return out;
+}
+
 Packet.Resource.CAA = {
   encode: function(record, writer) {
     writer = writer || new Packet.Writer();
@@ -828,15 +957,135 @@ Packet.Resource.CAA = {
     });
     return writer.toBuffer();
   },
+  decode: function(reader, length) {
+    this.flags = reader.read(8);
+    const tagLength = reader.read(8);
+    const bytes = [];
+    let remaining = length - 2;
+    while (remaining--) bytes.push(reader.read(8));
+    const buffer = Buffer.from(bytes);
+    this.tag = buffer.slice(0, tagLength).toString('utf8');
+    this.value = buffer.slice(tagLength).toString('utf8');
+    return this;
+  },
+};
+
+/**
+ * @type {{decode: (function(*, *): Packet.Resource.DNSKEY)}}
+ * @link https://tools.ietf.org/html/rfc4034
+ * @link https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#table-dns-sec-alg-numbers-1
+ */
+Packet.Resource.DNSKEY = {
+  decode: function(reader, length) {
+    const RData = [];
+    while (RData.length < length) {
+      RData.push(reader.read(8));
+    }
+    this.flags = RData[0] << 8 | RData[1];
+    this.protocol = RData[2];
+    this.algorithm = RData[3];
+    // for key tag
+    let ac = 0;
+    for (let i = 0; i < length; ++i) {
+      ac += (i & 1) ? RData[i] : RData[i] << 8;
+    }
+    ac += (ac >> 16) & 0xFFFF;
+    this.keyTag = ac & 0XFFFF;
+
+    //  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 = 16
+    // convert binary flags
+    let binFlags = this.flags.toString(2);
+    // add left padding until 16 chars
+    while (binFlags.length < 16) {
+      binFlags = '0' + binFlags;
+    }
+    this.zoneKey = binFlags[7] === '1';
+    this.zoneSep = binFlags[15] === '1';
+    this.key = Buffer.from(RData.slice(4)).toString('base64');
+    return this;
+  },
+  encode: function(record, writer) {
+    writer = writer || new Packet.Writer();
+    const buffer = Buffer.from(record.key, 'base64');
+    writer.write(4 + buffer.length, 16);
+    writer.write(record.flags, 16);
+    writer.write(record.protocol, 8);
+    writer.write(record.algorithm, 8);
+    buffer.forEach(function(c) {
+      writer.write(c, 8);
+    });
+    return writer.toBuffer();
+  },
+};
+
+/**
+ * RRSIG just support decode
+ * test with dns.resolveRRSIG('example.com')
+ *
+ * @type {{decode: (function(*, *): Packet.Resource.RRSIG)}}
+ */
+Packet.Resource.RRSIG = {
+  decode: function(reader, length) {
+    function dateForSig(date) {
+      // javascript date is from millisecond
+      date = new Date(date * 1000);
+      const definitions = {
+        month   : (date.getUTCMonth() + 1),
+        date    : date.getUTCDate(),
+        hour    : date.getUTCHours(),
+        minutes : date.getUTCMinutes(),
+        seconds : date.getUTCSeconds(),
+      };
+      let i;
+      for (i in definitions) {
+        // if less than 10 > single
+        if (definitions[i] < 10) {
+          definitions[i] = '0' + '' + definitions[i];
+        }
+      }
+      return date.getFullYear() + '' +
+        definitions.month + '' +
+        definitions.date + '' +
+        definitions.hour + '' +
+        definitions.minutes + '' +
+        definitions.seconds;
+    }
+
+    // calculate max-offset uint8
+    const maxOffset = reader.offset + (length * 8);
+    /*
+     * Stuff sign contains 18 octets
+     */
+    this.sigType = reader.read(16); // 2
+    this.algorithm = reader.read(8); // 1
+    this.labels = reader.read(8); // 1
+    this.originalTtl = reader.read(32); // 4
+    this.expiration = dateForSig(reader.read(32)); // 4
+    this.inception = dateForSig(reader.read(32)); // 4
+    this.keyTag = reader.read(16); // 2
+    this.signer = Packet.Name.decode(reader);
+    const maxLength = (maxOffset - reader.offset) / 8;
+    const signature = [];
+    while (signature.length < maxLength) {
+      signature.push(reader.read(8));
+    }
+    this.signature = Buffer.from(signature).toString('base64');
+    return this;
+  },
 };
 
 Packet.Reader = BufferReader;
 Packet.Writer = BufferWriter;
 
 Packet.createResponseFromRequest = function(request) {
-  const response = new Packet(request);
-  response.header.qr = 1;
-  response.additionals = [];
+  const response = new Packet();
+  response.header = new Packet.Header({
+    id     : request.header.id,
+    opcode : request.header.opcode,
+    rd     : request.header.rd,
+    qr     : 1,
+  });
+  response.questions = request.questions.slice();
   return response;
 };
 

package/server/dns.js

@@ -1,4 +1,5 @@
-const EventEmitter = require('events');
+const EventEmitter = require('node:events');
+const Packet = require('../packet');
 const DOHServer = require('./doh');
 const TCPServer = require('./tcp');
 const UDPServer = require('./udp');
@@ -34,7 +35,23 @@ class DNSServer extends EventEmitter {
       return addresses;
     });
 
-    const emitRequest = (request, send, client) => this.emit('request', request, send, client);
+    const maxConcurrent = options.maxConcurrent > 0 ? options.maxConcurrent : 0;
+    let active = 0;
+
+    const emitRequest = (request, send, client) => {
+      if (maxConcurrent && active >= maxConcurrent) {
+        const response = Packet.createResponseFromRequest(request);
+        response.header.rcode = Packet.RCODE.SERVFAIL;
+        send(response);
+        return;
+      }
+      active++;
+      const wrappedSend = (...args) => {
+        active--;
+        return send(...args);
+      };
+      this.emit('request', request, wrappedSend, client);
+    };
     const emitRequestError = (error) => this.emit('requestError', error);
     for (const server of servers) {
       server.on('request', emitRequest);

package/server/doh.js

@@ -1,9 +1,9 @@
-const http = require('http');
-const https = require('https');
-const { URL } = require('url');
+const http = require('node:http');
+const https = require('node:https');
+const { URL } = require('node:url');
 const Packet = require('../packet');
-const EventEmitter = require('events');
-const { debuglog } = require('util');
+const EventEmitter = require('node:events');
+const { debuglog } = require('node:util');
 
 const debug = debuglog('dns2-server');
 
@@ -20,11 +20,11 @@ const decodeBase64URL = str => {
 };
 
 const readStream = stream => new Promise((resolve, reject) => {
-  let buffer = '';
+  const chunks = [];
   stream
     .on('error', reject)
-    .on('data', chunk => { buffer += chunk; })
-    .on('end', () => resolve(buffer));
+    .on('data', chunk => chunks.push(chunk))
+    .on('end', () => resolve(Buffer.concat(chunks)));
 });
 
 class Server extends EventEmitter {
@@ -139,6 +139,7 @@ class Server extends EventEmitter {
   }
 
   close() {
+    this.server.closeIdleConnections();
     return this.server.close();
   }
 }

package/server/tcp.js

@@ -1,17 +1,31 @@
-const tcp = require('net');
+const tcp = require('node:net');
 const Packet = require('../packet');
+const proxyProtocol = require('../lib/proxy-protocol');
 
 class Server extends tcp.Server {
   constructor(options) {
     super();
+    let proxyProtocolEnabled = false;
+    if (typeof options === 'object' && options !== null) {
+      proxyProtocolEnabled = options.proxyProtocol ?? false;
+    }
     if (typeof options === 'function') {
       this.on('request', options);
     }
+    this.proxyProtocol = proxyProtocolEnabled;
     this.on('connection', this.handle.bind(this));
   }
 
   async handle(client) {
     try {
+      if (this.proxyProtocol) {
+        const header = await consumeProxyHeader(client);
+        client.proxy = header;
+        if (header.command === 'PROXY') {
+          client.proxyAddress = header.sourceAddress;
+          client.proxyPort = header.sourcePort;
+        }
+      }
       const data = await Packet.readStream(client);
       const message = Packet.parse(data);
       this.emit('request', message, this.response.bind(this, client), client);
@@ -31,4 +45,61 @@ class Server extends tcp.Server {
   }
 }
 
+// Read and consume the PROXY header from the front of the socket's stream.
+// Any bytes that arrive past the header are unshifted back into the socket
+// so the next reader (Packet.readStream) sees them.
+function consumeProxyHeader(socket) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let chunklen = 0;
+    let done = false;
+
+    const cleanup = () => {
+      socket.removeListener('readable', onReadable);
+      socket.removeListener('end', onEnd);
+      socket.removeListener('error', onError);
+    };
+    const onError = err => {
+      if (done) return;
+      done = true;
+      cleanup();
+      reject(err);
+    };
+    const onEnd = () => {
+      if (done) return;
+      done = true;
+      cleanup();
+      reject(new Error('PROXY protocol: stream ended before header complete'));
+    };
+    const onReadable = () => {
+      if (done) return;
+      let chunk;
+      while ((chunk = socket.read()) !== null) {
+        chunks.push(chunk);
+        chunklen += chunk.length;
+      }
+      if (chunklen === 0) return;
+      const buffer = Buffer.concat(chunks, chunklen);
+      let parsed;
+      try {
+        parsed = proxyProtocol.parse(buffer);
+      } catch (e) {
+        return onError(e);
+      }
+      if (!parsed) return;
+      done = true;
+      cleanup();
+      const leftover = buffer.slice(parsed.headerLength);
+      if (leftover.length) socket.unshift(leftover);
+      resolve(parsed.header);
+    };
+
+    socket.on('readable', onReadable);
+    socket.on('end', onEnd);
+    socket.on('error', onError);
+    // Drain anything already buffered before our 'readable' listener attached.
+    onReadable();
+  });
+}
+
 module.exports = Server;