Improve target CNAME resolving for cloaking (#2959)

- Fix critical privacy leak: Replace system DNS lookups with encrypted resolution
- Prevent cloaking rule bypass when upstream server fails
- Fix IPv4/IPv6 filtering to handle both types correctly
- Add error handling for empty IP lists before slicing
- Separate caching for IPv4 and IPv6 responses
- Add proper timeout for resolver queries
- Fix systemd socket mode to properly populate listenAddresses
- Extend read locking scope in PluginCloak

Author: lifenjoiner

dnscrypt-proxy/plugin_cloak.go

@@ -15,13 +15,14 @@ import (
 )
 
 type CloakedName struct {
-	target     string
-	ipv4       []net.IP
-	ipv6       []net.IP
-	lastUpdate *time.Time
-	lineNo     int
-	isIP       bool
-	PTR        []string
+	target      string
+	ipv4        []net.IP
+	ipv6        []net.IP
+	lastUpdate4 *time.Time
+	lastUpdate6 *time.Time
+	lineNo      int
+	isIP        bool
+	PTR         []string
 }
 
 type PluginCloak struct {
@@ -242,47 +243,52 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 	}
 	cloakedName := xcloakedName.(*CloakedName)
 	ttl, expired := plugin.ttl, false
-	if cloakedName.lastUpdate != nil {
-		if elapsed := uint32(now.Sub(*cloakedName.lastUpdate).Seconds()); elapsed < ttl {
+	var lastUpdate *time.Time
+	switch question.Qtype {
+	case dns.TypeA:
+		lastUpdate = cloakedName.lastUpdate4
+	case dns.TypeAAAA:
+		lastUpdate = cloakedName.lastUpdate6
+	}
+	if lastUpdate != nil {
+		if elapsed := uint32(now.Sub(*lastUpdate).Seconds()); elapsed < ttl {
 			ttl -= elapsed
 		} else {
 			expired = true
 		}
 	}
-	if !cloakedName.isIP && ((cloakedName.ipv4 == nil && cloakedName.ipv6 == nil) || expired) {
+	synth := EmptyResponseFromMessage(msg)
+	if !cloakedName.isIP && ((question.Qtype == dns.TypeA && cloakedName.ipv4 == nil) ||
+		(question.Qtype == dns.TypeAAAA && cloakedName.ipv6 == nil) || expired) {
 		target := cloakedName.target
 		plugin.RUnlock()
-		foundIPs, err := net.LookupIP(target)
+		foundIPs, _, err := pluginsState.xTransport.resolveEncrypted(target, question.Qtype)
 		if err != nil {
+			synth.Rcode = dns.RcodeServerFailure
+			pluginsState.synthResponse = synth
+			pluginsState.action = PluginsActionSynth
+			pluginsState.returnCode = PluginsReturnCodeCloak
 			return nil
 		}
 
 		// Use write lock to update cloakedName
 		plugin.Lock()
-		cloakedName.lastUpdate = &now
-		cloakedName.ipv4 = nil
-		cloakedName.ipv6 = nil
-		for _, foundIP := range foundIPs {
-			if ipv4 := foundIP.To4(); ipv4 != nil {
-				cloakedName.ipv4 = append(cloakedName.ipv4, foundIP)
-				if len(cloakedName.ipv4) >= 16 {
-					break
-				}
-			} else {
-				cloakedName.ipv6 = append(cloakedName.ipv6, foundIP)
-				if len(cloakedName.ipv6) >= 16 {
-					break
-				}
+		if len(foundIPs) > 0 {
+			n := Min(16, len(foundIPs))
+			switch question.Qtype {
+			case dns.TypeA:
+				cloakedName.lastUpdate4 = &now
+				cloakedName.ipv4 = foundIPs[:n]
+			case dns.TypeAAAA:
+				cloakedName.lastUpdate6 = &now
+				cloakedName.ipv6 = foundIPs[:n]
 			}
 		}
 		plugin.Unlock()
 
 		// Reacquire read lock
 		plugin.RLock()
 	}
-	plugin.RUnlock()
-
-	synth := EmptyResponseFromMessage(msg)
 	synth.Answer = []dns.RR{}
 	if question.Qtype == dns.TypeA {
 		for _, ip := range cloakedName.ipv4 {
@@ -306,6 +312,8 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 			synth.Answer = append(synth.Answer, rr)
 		}
 	}
+	plugin.RUnlock()
+
 	rand.Shuffle(
 		len(synth.Answer),
 		func(i, j int) { synth.Answer[i], synth.Answer[j] = synth.Answer[j], synth.Answer[i] },

dnscrypt-proxy/plugins.go

@@ -75,6 +75,7 @@ type PluginsState struct {
 	clientAddr                       *net.Addr
 	synthResponse                    *dns.Msg
 	questionMsg                      *dns.Msg
+	xTransport                       *XTransport
 	sessionData                      map[string]interface{}
 	action                           PluginsAction
 	timeout                          time.Duration
@@ -267,6 +268,7 @@ func NewPluginsState(
 		requestStart:                     start,
 		maxUnencryptedUDPSafePayloadSize: MaxDNSUDPSafePacketSize,
 		sessionData:                      make(map[string]interface{}),
+		xTransport:                       proxy.xTransport,
 	}
 }
 

dnscrypt-proxy/systemd_linux.go

@@ -4,6 +4,7 @@ package main
 
 import (
 	"net"
+	"slices"
 
 	"github.com/coreos/go-systemd/activation"
 	"github.com/jedisct1/dlog"
@@ -19,15 +20,22 @@ func (proxy *Proxy) addSystemDListeners() error {
 			)
 		}
 		dlog.Warn("Systemd sockets are untested and unsupported - use at your own risk")
+		proxy.listenAddresses = make([]string, 0)
 	}
 	for i, file := range files {
 		defer file.Close()
+		var listenAddress string
 		if listener, err := net.FileListener(file); err == nil {
 			proxy.registerTCPListener(listener.(*net.TCPListener))
-			dlog.Noticef("Wiring systemd TCP socket #%d, %s, %s", i, file.Name(), listener.Addr())
+			listenAddress = listener.Addr().String()
+			dlog.Noticef("Wiring systemd TCP socket #%d, %s, %s", i, file.Name(), listenAddress)
 		} else if pc, err := net.FilePacketConn(file); err == nil {
 			proxy.registerUDPListener(pc.(*net.UDPConn))
-			dlog.Noticef("Wiring systemd UDP socket #%d, %s, %s", i, file.Name(), pc.LocalAddr())
+			listenAddress = pc.LocalAddr().String()
+			dlog.Noticef("Wiring systemd UDP socket #%d, %s, %s", i, file.Name(), listenAddress)
+		}
+		if len(listenAddress) > 0 && !slices.Contains(proxy.listenAddresses, listenAddress) {
+			proxy.listenAddresses = append(proxy.listenAddresses, listenAddress)
 		}
 	}
 	return nil

dnscrypt-proxy/xtransport.go

@@ -34,6 +34,7 @@ const (
 	DefaultBootstrapResolver = "9.9.9.9:53"
 	DefaultKeepAlive         = 5 * time.Second
 	DefaultTimeout           = 30 * time.Second
+	ResolverReadTimeout      = 5 * time.Second
 	SystemResolverIPTTL      = 12 * time.Hour
 	MinResolverIPTTL         = 4 * time.Hour
 	ResolverIPTTLMaxJitter   = 15 * time.Minute
@@ -331,83 +332,88 @@ func (xTransport *XTransport) rebuildTransport() {
 	}
 }
 
-func (xTransport *XTransport) resolveUsingSystem(host string) (ip net.IP, ttl time.Duration, err error) {
-	ttl = SystemResolverIPTTL
-	var foundIPs []string
-	foundIPs, err = net.LookupHost(host)
-	if err != nil {
-		return ip, ttl, err
+func (xTransport *XTransport) resolveUsingSystem(host string, forceType uint16) ([]net.IP, time.Duration, error) {
+	ipa, err := net.LookupIP(host)
+	queryIPv4 := xTransport.useIPv4
+	queryIPv6 := xTransport.useIPv6
+	if forceType == dns.TypeNone && queryIPv4 && queryIPv6 {
+		return ipa, SystemResolverIPTTL, err
+	}
+	switch forceType {
+	case dns.TypeA:
+		queryIPv4 = true
+		queryIPv6 = false
+	case dns.TypeAAAA:
+		queryIPv4 = false
+		queryIPv6 = true
 	}
 	ips := make([]net.IP, 0)
-	for _, ip := range foundIPs {
-		if foundIP := net.ParseIP(ip); foundIP != nil {
-			isIPv4 := foundIP.To4() != nil
-			if (isIPv4 && xTransport.useIPv4) || (!isIPv4 && xTransport.useIPv6) {
-				ips = append(ips, foundIP)
-			}
+	for _, ip := range ipa {
+		ipv4 := ip.To4()
+		if queryIPv4 && ipv4 != nil {
+			ips = append(ips, ipv4)
+		}
+		if queryIPv6 && ipv4 == nil {
+			ips = append(ips, ip)
 		}
 	}
-	if len(ips) > 0 {
-		ip = ips[rand.Intn(len(ips))]
-	}
-	return ip, ttl, err
+	return ips, SystemResolverIPTTL, err
 }
 
 func (xTransport *XTransport) resolveUsingResolver(
 	proto, host string,
 	resolver string,
-) (ip net.IP, ttl time.Duration, err error) {
-	dnsClient := dns.Client{Net: proto}
-	if xTransport.useIPv4 {
-		msg := dns.Msg{}
-		msg.SetQuestion(dns.Fqdn(host), dns.TypeA)
-		msg.SetEdns0(uint16(MaxDNSPacketSize), true)
-		var in *dns.Msg
-		if in, _, err = dnsClient.Exchange(&msg, resolver); err == nil {
-			answers := make([]dns.RR, 0)
-			for _, answer := range in.Answer {
-				if answer.Header().Rrtype == dns.TypeA {
-					answers = append(answers, answer)
-				}
-			}
-			if len(answers) > 0 {
-				answer := answers[rand.Intn(len(answers))]
-				ip = answer.(*dns.A).A
-				ttl = time.Duration(answer.Header().Ttl) * time.Second
-				return ip, ttl, err
-			}
+	forceType uint16,
+) (ips []net.IP, ttl time.Duration, err error) {
+	dnsClient := dns.Client{Net: proto, ReadTimeout: ResolverReadTimeout}
+	queryType := make([]uint16, 0, 2)
+	switch forceType {
+	case dns.TypeA:
+		queryType = append(queryType, dns.TypeA)
+	case dns.TypeAAAA:
+		queryType = append(queryType, dns.TypeAAAA)
+	default:
+		if xTransport.useIPv4 {
+			queryType = append(queryType, dns.TypeA)
+		}
+		if xTransport.useIPv6 {
+			queryType = append(queryType, dns.TypeAAAA)
 		}
 	}
-	if xTransport.useIPv6 {
+	var rrTTL uint32
+	for _, rrType := range queryType {
 		msg := dns.Msg{}
-		msg.SetQuestion(dns.Fqdn(host), dns.TypeAAAA)
+		msg.SetQuestion(dns.Fqdn(host), rrType)
 		msg.SetEdns0(uint16(MaxDNSPacketSize), true)
 		var in *dns.Msg
 		if in, _, err = dnsClient.Exchange(&msg, resolver); err == nil {
-			answers := make([]dns.RR, 0)
 			for _, answer := range in.Answer {
-				if answer.Header().Rrtype == dns.TypeAAAA {
-					answers = append(answers, answer)
+				if answer.Header().Rrtype == rrType {
+					switch rrType {
+					case dns.TypeA:
+						ips = append(ips, answer.(*dns.A).A)
+					case dns.TypeAAAA:
+						ips = append(ips, answer.(*dns.AAAA).AAAA)
+					}
+					rrTTL = answer.Header().Ttl
 				}
 			}
-			if len(answers) > 0 {
-				answer := answers[rand.Intn(len(answers))]
-				ip = answer.(*dns.AAAA).AAAA
-				ttl = time.Duration(answer.Header().Ttl) * time.Second
-				return ip, ttl, err
-			}
 		}
 	}
-	return ip, ttl, err
+	if len(ips) > 0 {
+		ttl = time.Duration(rrTTL) * time.Second
+	}
+	return ips, ttl, err
 }
 
 func (xTransport *XTransport) resolveUsingResolvers(
 	proto, host string,
 	resolvers []string,
-) (ip net.IP, ttl time.Duration, err error) {
+	forceType uint16,
+) (ips []net.IP, ttl time.Duration, err error) {
 	err = errors.New("Empty resolvers")
 	for i, resolver := range resolvers {
-		ip, ttl, err = xTransport.resolveUsingResolver(proto, host, resolver)
+		ips, ttl, err = xTransport.resolveUsingResolver(proto, host, resolver, forceType)
 		if err == nil {
 			if i > 0 {
 				dlog.Infof("Resolution succeeded with resolver %s[%s]", proto, resolver)
@@ -417,34 +423,22 @@ func (xTransport *XTransport) resolveUsingResolvers(
 		}
 		dlog.Infof("Unable to resolve [%s] using resolver [%s] (%s): %v", host, resolver, proto, err)
 	}
-	return ip, ttl, err
+	return ips, ttl, err
 }
 
-// If a name is not present in the cache, resolve the name and update the cache
-func (xTransport *XTransport) resolveAndUpdateCache(host string) error {
-	if xTransport.proxyDialer != nil || xTransport.httpProxyFunction != nil {
-		return nil
-	}
-	if ParseIP(host) != nil {
-		return nil
-	}
-	cachedIP, expired, updating := xTransport.loadCachedIP(host)
-	if cachedIP != nil && (!expired || updating) {
-		return nil
-	}
-	xTransport.markUpdatingCachedIP(host)
+func (xTransport *XTransport) resolveEncrypted(host string, forceType uint16) ([]net.IP, time.Duration, error) {
+	return xTransport.resolveUsingResolvers(xTransport.mainProto, host, xTransport.internalResolvers, forceType)
+}
 
-	var foundIP net.IP
-	var ttl time.Duration
-	var err error
+func (xTransport *XTransport) resolve(host string, forceType uint16) (ips []net.IP, ttl time.Duration, err error) {
 	protos := []string{"udp", "tcp"}
 	if xTransport.mainProto == "tcp" {
 		protos = []string{"tcp", "udp"}
 	}
 	if xTransport.ignoreSystemDNS {
 		if xTransport.internalResolverReady {
 			for _, proto := range protos {
-				foundIP, ttl, err = xTransport.resolveUsingResolvers(proto, host, xTransport.internalResolvers)
+				ips, ttl, err = xTransport.resolveUsingResolvers(proto, host, xTransport.internalResolvers, forceType)
 				if err == nil {
 					break
 				}
@@ -454,7 +448,7 @@ func (xTransport *XTransport) resolveAndUpdateCache(host string) error {
 			dlog.Notice(err)
 		}
 	} else {
-		foundIP, ttl, err = xTransport.resolveUsingSystem(host)
+		ips, ttl, err = xTransport.resolveUsingSystem(host, forceType)
 		if err != nil {
 			err = errors.New("System DNS is not usable yet")
 			dlog.Notice(err)
@@ -469,15 +463,37 @@ func (xTransport *XTransport) resolveAndUpdateCache(host string) error {
 					proto,
 				)
 			}
-			foundIP, ttl, err = xTransport.resolveUsingResolvers(proto, host, xTransport.bootstrapResolvers)
+			ips, ttl, err = xTransport.resolveUsingResolvers(proto, host, xTransport.bootstrapResolvers, forceType)
 			if err == nil {
 				break
 			}
 		}
 	}
 	if err != nil && xTransport.ignoreSystemDNS {
 		dlog.Noticef("Bootstrap resolvers didn't respond - Trying with the system resolver as a last resort")
-		foundIP, ttl, err = xTransport.resolveUsingSystem(host)
+		ips, ttl, err = xTransport.resolveUsingSystem(host, forceType)
+	}
+	return ips, ttl, err
+}
+
+// If a name is not present in the cache, resolve the name and update the cache
+func (xTransport *XTransport) resolveAndUpdateCache(host string) error {
+	if xTransport.proxyDialer != nil || xTransport.httpProxyFunction != nil {
+		return nil
+	}
+	if ParseIP(host) != nil {
+		return nil
+	}
+	cachedIP, expired, updating := xTransport.loadCachedIP(host)
+	if cachedIP != nil && (!expired || updating) {
+		return nil
+	}
+	xTransport.markUpdatingCachedIP(host)
+
+	var foundIP net.IP
+	ips, ttl, err := xTransport.resolve(host, dns.TypeNone)
+	if len(ips) > 0 {
+		foundIP = ips[rand.Intn(len(ips))]
 	}
 	if ttl < MinResolverIPTTL {
 		ttl = MinResolverIPTTL