dns2 2.2.1 → 2.3.0

package/lib/proxy-protocol.js

@@ -0,0 +1,153 @@
+'use strict';
+
+// PROXY protocol parser (HAProxy/Nginx).
+// Spec: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+//
+// parse(buffer) returns:
+//   - { header, headerLength } when a complete header is at the start of buffer
+//   - null when the buffer is a valid prefix but more bytes are needed
+// and throws when the bytes are not a valid PROXY header.
+
+const V2_SIGNATURE = Buffer.from([
+  0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D,
+  0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A,
+]);
+const V1_PREFIX = Buffer.from('PROXY ');
+const V1_MAX_LEN = 108;
+
+const FAMILY = { 0x10: 'IPv4', 0x20: 'IPv6', 0x30: 'Unix' };
+const TRANSPORT = { 0x01: 'STREAM', 0x02: 'DGRAM' };
+
+function parse(buffer) {
+  if (buffer.length >= 12) {
+    if (buffer.slice(0, 12).equals(V2_SIGNATURE)) return parseV2(buffer);
+  } else if (V2_SIGNATURE.slice(0, buffer.length).equals(buffer)) {
+    return null;
+  }
+
+  if (buffer.length >= 6) {
+    if (buffer.slice(0, 6).equals(V1_PREFIX)) return parseV1(buffer);
+  } else if (V1_PREFIX.slice(0, buffer.length).equals(buffer)) {
+    return null;
+  }
+
+  throw new Error('PROXY protocol: header missing or malformed');
+}
+
+function parseV1(buffer) {
+  const search = buffer.slice(0, Math.min(buffer.length, V1_MAX_LEN));
+  const newline = search.indexOf('\r\n');
+  if (newline === -1) {
+    if (buffer.length >= V1_MAX_LEN) {
+      throw new Error('PROXY v1: header exceeds maximum length');
+    }
+    return null;
+  }
+  const line = buffer.slice(0, newline).toString('ascii');
+  const parts = line.split(' ');
+  if (parts[0] !== 'PROXY') throw new Error('PROXY v1: malformed header');
+  const headerLength = newline + 2;
+
+  if (parts[1] === 'UNKNOWN') {
+    return { header: { version: 1, command: 'UNKNOWN' }, headerLength };
+  }
+  if (parts.length !== 6) throw new Error('PROXY v1: malformed header');
+  const [ , proto, sourceAddress, destinationAddress, srcPort, dstPort ] = parts;
+  if (proto !== 'TCP4' && proto !== 'TCP6') {
+    throw new Error(`PROXY v1: unsupported protocol ${proto}`);
+  }
+  return {
+    header: {
+      version         : 1,
+      command         : 'PROXY',
+      family          : proto === 'TCP4' ? 'IPv4' : 'IPv6',
+      transport       : 'STREAM',
+      sourceAddress,
+      sourcePort      : parseInt(srcPort, 10),
+      destinationAddress,
+      destinationPort : parseInt(dstPort, 10),
+    },
+    headerLength,
+  };
+}
+
+function parseV2(buffer) {
+  if (buffer.length < 16) return null;
+  const verCmd = buffer[12];
+  const version = verCmd >> 4;
+  const command = verCmd & 0x0F;
+  if (version !== 2) throw new Error(`PROXY v2: unsupported version ${version}`);
+  if (command !== 0 && command !== 1) {
+    throw new Error(`PROXY v2: unknown command ${command}`);
+  }
+
+  const famProto = buffer[13];
+  const addressLength = buffer.readUInt16BE(14);
+  const headerLength = 16 + addressLength;
+  if (buffer.length < headerLength) return null;
+
+  if (command === 0) {
+    // LOCAL — no real client info (e.g. proxy-originated health check).
+    return { header: { version: 2, command: 'LOCAL' }, headerLength };
+  }
+
+  const family = FAMILY[famProto & 0xF0];
+  const transport = TRANSPORT[famProto & 0x0F];
+
+  let sourceAddress, destinationAddress, sourcePort, destinationPort;
+  if (family === 'IPv4' && addressLength >= 12) {
+    sourceAddress = `${buffer[16]}.${buffer[17]}.${buffer[18]}.${buffer[19]}`;
+    destinationAddress = `${buffer[20]}.${buffer[21]}.${buffer[22]}.${buffer[23]}`;
+    sourcePort = buffer.readUInt16BE(24);
+    destinationPort = buffer.readUInt16BE(26);
+  } else if (family === 'IPv6' && addressLength >= 36) {
+    sourceAddress = ipv6FromBytes(buffer.slice(16, 32));
+    destinationAddress = ipv6FromBytes(buffer.slice(32, 48));
+    sourcePort = buffer.readUInt16BE(48);
+    destinationPort = buffer.readUInt16BE(50);
+  } else {
+    throw new Error(`PROXY v2: unsupported address family/protocol 0x${famProto.toString(16)}`);
+  }
+
+  return {
+    header: {
+      version : 2,
+      command : 'PROXY',
+      family,
+      transport,
+      sourceAddress,
+      sourcePort,
+      destinationAddress,
+      destinationPort,
+    },
+    headerLength,
+  };
+}
+
+function ipv6FromBytes(bytes) {
+  const segments = [];
+  for (let i = 0; i < 16; i += 2) {
+    segments.push(bytes.readUInt16BE(i).toString(16));
+  }
+  return segments.join(':');
+}
+
+// Test helpers — build wire-format headers used by tests and example code.
+function buildV1({ family = 'TCP4', sourceAddress, destinationAddress, sourcePort, destinationPort }) {
+  return Buffer.from(`PROXY ${family} ${sourceAddress} ${destinationAddress} ${sourcePort} ${destinationPort}\r\n`, 'ascii');
+}
+
+function buildV2Ipv4({ sourceAddress, destinationAddress, sourcePort, destinationPort, transport = 'STREAM' }) {
+  const buf = Buffer.alloc(16 + 12);
+  V2_SIGNATURE.copy(buf, 0);
+  buf[12] = 0x21; // version 2 | PROXY command
+  buf[13] = 0x10 | (transport === 'DGRAM' ? 0x02 : 0x01); // IPv4 | STREAM/DGRAM
+  buf.writeUInt16BE(12, 14);
+  sourceAddress.split('.').forEach((o, i) => { buf[16 + i] = parseInt(o, 10); });
+  destinationAddress.split('.').forEach((o, i) => { buf[20 + i] = parseInt(o, 10); });
+  buf.writeUInt16BE(sourcePort, 24);
+  buf.writeUInt16BE(destinationPort, 26);
+  return buf;
+}
+
+module.exports = { parse, parseV1, parseV2, buildV1, buildV2Ipv4 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dns2",
-  "version": "2.2.1",
+  "version": "2.3.0",
   "description": "A DNS Server and Client Implementation in Pure JavaScript with no dependencies.",
   "main": "index.js",
   "types": "ts/index.d.ts",

package/packet.js

@@ -5,10 +5,29 @@ const BufferWriter = require('./lib/writer');
 
 const debug = debuglog('dns2');
 
-const toIPv6 = buffer => buffer
-  .map(part => (part > 0 ? part.toString(16) : '0'))
-  .join(':')
-  .replace(/\b(?:0+:){1,}/, ':');
+// Canonical IPv6 text form per RFC 5952:
+//   - lower case hex, no leading zeros per group  (handled by toString(16))
+//   - the longest run of >= 2 zero groups is replaced with "::"
+//   - on ties, the first such run is chosen
+//   - a single zero group is NOT compressed
+const toIPv6 = buffer => {
+  const segments = buffer.map(part => (part > 0 ? part.toString(16) : '0'));
+  let bestStart = -1; let bestLen = 0;
+  let curStart = -1; let curLen = 0;
+  for (let i = 0; i < segments.length; i++) {
+    if (segments[i] === '0') {
+      if (curLen === 0) curStart = i;
+      curLen++;
+      if (curLen > bestLen) { bestLen = curLen; bestStart = curStart; }
+    } else {
+      curLen = 0;
+    }
+  }
+  if (bestLen < 2) return segments.join(':');
+  const before = segments.slice(0, bestStart).join(':');
+  const after = segments.slice(bestStart + bestLen).join(':');
+  return `${before}::${after}`;
+};
 
 const fromIPv6 = (address) => {
   const digits = address.split(':');
@@ -240,8 +259,11 @@ Packet.Header = function(header) {
   this.rd = 0;
   this.ra = 0;
   this.z = 0;
+  this.ad = 0;
+  this.cd = 0;
   this.rcode = 0;
   this.qdcount = 0;
+  this.ancount = 0;
   this.nscount = 0;
   this.arcount = 0;
   for (const k in header) {
@@ -267,7 +289,10 @@ Packet.Header.parse = function(reader) {
   header.tc = reader.read(1);
   header.rd = reader.read(1);
   header.ra = reader.read(1);
-  header.z = reader.read(3);
+  // RFC 4035 §3.2.3 repurposed the second and third Z bits as AD and CD.
+  header.z = reader.read(1);
+  header.ad = reader.read(1);
+  header.cd = reader.read(1);
   header.rcode = reader.read(4);
   header.qdcount = reader.read(16);
   header.ancount = reader.read(16);
@@ -289,7 +314,9 @@ Packet.Header.prototype.toBuffer = function(writer) {
   writer.write(this.tc, 1);
   writer.write(this.rd, 1);
   writer.write(this.ra, 1);
-  writer.write(this.z, 3);
+  writer.write(this.z, 1);
+  writer.write(this.ad, 1);
+  writer.write(this.cd, 1);
   writer.write(this.rcode, 4);
   writer.write(this.qdcount, 16);
   writer.write(this.ancount, 16);
@@ -457,11 +484,18 @@ Packet.Name = {
       reader = new Packet.Reader(reader);
     }
     const name = []; let o; let len = reader.read(8);
+    // Track each pointer target we follow. A crafted packet can chain
+    // pointers in a cycle; without this guard, decode would loop forever.
+    const visited = new Set();
     while (len) {
       if ((len & Packet.Name.COPY) === Packet.Name.COPY) {
         len -= Packet.Name.COPY;
         len = len << 8;
         const pos = len + reader.read(8);
+        if (visited.has(pos)) {
+          throw new Error('Name decode: pointer cycle detected');
+        }
+        visited.add(pos);
         if (!o) o = reader.offset;
         reader.offset = pos * 8;
         len = reader.read(8);
@@ -740,19 +774,42 @@ Packet.Resource.SRV = {
   },
 };
 
-Packet.Resource.EDNS = function(rdata) {
+// RFC 6891 §6.1.3 — the OPT record's TTL field carries:
+//   bits  0- 7: extended RCODE (high byte of a 12-bit RCODE)
+//   bits  8-15: EDNS version
+//   bit   16:   DO (DNSSEC OK)
+//   bits 17-31: reserved Z, must be zero
+const ednsTtl = (extendedRcode, version, doFlag) =>
+  (((extendedRcode & 0xff) << 24) >>> 0)
+  | ((version & 0xff) << 16)
+  | (doFlag ? 0x8000 : 0);
+
+Packet.Resource.EDNS = function(rdata, opts = {}) {
+  const extendedRcode = opts.extendedRcode || 0;
+  const version = opts.version || 0;
+  const doFlag = !!opts.doFlag;
+  const udpPayloadSize = opts.udpPayloadSize || 512;
   return {
     type  : Packet.TYPE.EDNS,
-    class : 512, // Supported UDP Payload size
-    ttl   : 0, // Extended RCODE and flags
+    class : udpPayloadSize,
+    ttl   : ednsTtl(extendedRcode, version, doFlag),
+    extendedRcode,
+    version,
+    doFlag,
     rdata, // Objects of type Packet.Resource.EDNS.*
   };
 };
 
 Packet.Resource.EDNS.decode = function(reader, length) {
-  this.type = Packet.TYPE.EDNS;
-  this.class = 512;
-  this.ttl = 0;
+  // When invoked through Resource.parse, this.type/class/ttl are already set
+  // from the wire. Direct callers (e.g. unit tests) hit defaults instead.
+  this.type = this.type ?? Packet.TYPE.EDNS;
+  this.class = this.class ?? 512;
+  const ttl = this.ttl ?? 0;
+  this.ttl = ttl;
+  this.extendedRcode = (ttl >>> 24) & 0xff;
+  this.version = (ttl >>> 16) & 0xff;
+  this.doFlag = !!(ttl & 0x8000);
   this.rdata = [];
 
   while (length) {
@@ -845,16 +902,47 @@ Packet.Resource.EDNS.ECS.decode = function(reader, length) {
 };
 
 Packet.Resource.EDNS.ECS.encode = function(record, writer) {
-  const ip = record.ip.split('.').map(s => parseInt(s));
+  // RFC 7871 §6: the ADDRESS field carries only the leftmost
+  // ceil(sourcePrefixLength / 8) octets.
+  const octets = Math.ceil(record.sourcePrefixLength / 8);
   writer.write(record.family, 16);
   writer.write(record.sourcePrefixLength, 8);
   writer.write(record.scopePrefixLength, 8);
-  writer.write(ip[0], 8);
-  writer.write(ip[1], 8);
-  writer.write(ip[2], 8);
-  writer.write(ip[3], 8);
+  let bytes;
+  if (record.family === 1) {
+    bytes = record.ip.split('.').map(s => parseInt(s, 10) || 0);
+  } else if (record.family === 2) {
+    bytes = expandIPv6ToBytes(record.ip);
+  } else {
+    throw new Error(`EDNS.ECS encode: unsupported family ${record.family}`);
+  }
+  for (let i = 0; i < octets; i++) {
+    writer.write(bytes[i] || 0, 8);
+  }
 };
 
+// Expand a (possibly compressed) IPv6 text address into a 16-byte array.
+function expandIPv6ToBytes(address) {
+  let head, tail;
+  const idx = address.indexOf('::');
+  if (idx === -1) {
+    head = address.split(':');
+    tail = [];
+  } else {
+    head = address.slice(0, idx).split(':').filter(Boolean);
+    tail = address.slice(idx + 2).split(':').filter(Boolean);
+  }
+  const missing = 8 - head.length - tail.length;
+  const groups = [ ...head, ...new Array(missing).fill('0'), ...tail ];
+  const out = new Array(16).fill(0);
+  for (let g = 0; g < 8; g++) {
+    const n = parseInt(groups[g], 16) || 0;
+    out[g * 2] = (n >> 8) & 0xff;
+    out[g * 2 + 1] = n & 0xff;
+  }
+  return out;
+}
+
 Packet.Resource.CAA = {
   encode: function(record, writer) {
     writer = writer || new Packet.Writer();

package/server/tcp.js

@@ -1,17 +1,31 @@
 const tcp = require('node:net');
 const Packet = require('../packet');
+const proxyProtocol = require('../lib/proxy-protocol');
 
 class Server extends tcp.Server {
   constructor(options) {
     super();
+    let proxyProtocolEnabled = false;
+    if (typeof options === 'object' && options !== null) {
+      proxyProtocolEnabled = options.proxyProtocol ?? false;
+    }
     if (typeof options === 'function') {
       this.on('request', options);
     }
+    this.proxyProtocol = proxyProtocolEnabled;
     this.on('connection', this.handle.bind(this));
   }
 
   async handle(client) {
     try {
+      if (this.proxyProtocol) {
+        const header = await consumeProxyHeader(client);
+        client.proxy = header;
+        if (header.command === 'PROXY') {
+          client.proxyAddress = header.sourceAddress;
+          client.proxyPort = header.sourcePort;
+        }
+      }
       const data = await Packet.readStream(client);
       const message = Packet.parse(data);
       this.emit('request', message, this.response.bind(this, client), client);
@@ -31,4 +45,61 @@ class Server extends tcp.Server {
   }
 }
 
+// Read and consume the PROXY header from the front of the socket's stream.
+// Any bytes that arrive past the header are unshifted back into the socket
+// so the next reader (Packet.readStream) sees them.
+function consumeProxyHeader(socket) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let chunklen = 0;
+    let done = false;
+
+    const cleanup = () => {
+      socket.removeListener('readable', onReadable);
+      socket.removeListener('end', onEnd);
+      socket.removeListener('error', onError);
+    };
+    const onError = err => {
+      if (done) return;
+      done = true;
+      cleanup();
+      reject(err);
+    };
+    const onEnd = () => {
+      if (done) return;
+      done = true;
+      cleanup();
+      reject(new Error('PROXY protocol: stream ended before header complete'));
+    };
+    const onReadable = () => {
+      if (done) return;
+      let chunk;
+      while ((chunk = socket.read()) !== null) {
+        chunks.push(chunk);
+        chunklen += chunk.length;
+      }
+      if (chunklen === 0) return;
+      const buffer = Buffer.concat(chunks, chunklen);
+      let parsed;
+      try {
+        parsed = proxyProtocol.parse(buffer);
+      } catch (e) {
+        return onError(e);
+      }
+      if (!parsed) return;
+      done = true;
+      cleanup();
+      const leftover = buffer.slice(parsed.headerLength);
+      if (leftover.length) socket.unshift(leftover);
+      resolve(parsed.header);
+    };
+
+    socket.on('readable', onReadable);
+    socket.on('end', onEnd);
+    socket.on('error', onError);
+    // Drain anything already buffered before our 'readable' listener attached.
+    onReadable();
+  });
+}
+
 module.exports = Server;

package/server/udp.js

@@ -1,5 +1,6 @@
 const udp = require('node:dgram');
 const Packet = require('../packet');
+const proxyProtocol = require('../lib/proxy-protocol');
 
 /**
  * [Server description]
@@ -9,10 +10,13 @@ const Packet = require('../packet');
 class Server extends udp.Socket {
   constructor(options) {
     let type = 'udp4';
-    if (typeof options === 'object') {
+    let proxyProtocolEnabled = false;
+    if (typeof options === 'object' && options !== null) {
       type = options.type ?? type;
+      proxyProtocolEnabled = options.proxyProtocol ?? false;
     }
     super(type);
+    this.proxyProtocol = proxyProtocolEnabled;
     if (typeof options === 'function') {
       this.on('request', options);
     }
@@ -21,8 +25,28 @@ class Server extends udp.Socket {
 
   handle(data, rinfo) {
     try {
+      // Response is always sent back to the immediate sender (the proxy when
+      // proxyProtocol is enabled); the parsed client info is exposed to the
+      // request handler so it can log/authorize against the real peer.
+      const responder = rinfo;
+      let clientInfo = rinfo;
+      if (this.proxyProtocol) {
+        const parsed = proxyProtocol.parse(data);
+        if (!parsed) throw new Error('PROXY protocol: incomplete header');
+        if (parsed.header.command === 'PROXY') {
+          clientInfo = {
+            ...rinfo,
+            address : parsed.header.sourceAddress,
+            port    : parsed.header.sourcePort,
+            proxy   : parsed.header,
+          };
+        } else {
+          clientInfo = { ...rinfo, proxy: parsed.header };
+        }
+        data = data.slice(parsed.headerLength);
+      }
       const message = Packet.parse(data);
-      this.emit('request', message, this.response.bind(this, rinfo), rinfo);
+      this.emit('request', message, this.response.bind(this, responder), clientInfo);
     } catch (e) {
       this.emit('requestError', e);
     }