dnsx: In Loopback, let Default be blocked & proxied

ignoramous · ignoramous · commit 1b40e7c2e54d · 2025-12-28T00:52:30.000+05:30
diff --git a/intra/dns53/upstream.go b/intra/dns53/upstream.go
@@ -144,6 +144,7 @@ func NewTransportFrom(ctx context.Context, id string, ipp netip.AddrPort, px ipn
 
 func (t *transport) pxdial(network, pid string) (*dns.Conn, string, uintptr, error) {
 	if t.id == dnsx.Bootstrap || t.id == dnsx.System { // bootstrap/default never be proxied
+		// never proxy dns53 transport with "bootstrap" id is a clone of dnsx.System
 		pid = dnsx.NetBaseProxy
 	} else if len(t.relay) > 0 { // relay takes precedence
 		pid = t.relay
diff --git a/intra/dnsx/transport.go b/intra/dnsx/transport.go
@@ -484,12 +484,7 @@ func (r *resolver) LocalLookup(q []byte) ([]byte, string, error) {
 	}
 
 	loopingBack := settings.Loopingback.Load()
-	defaultIsSystemDNS := false
-	if dtr, _ := r.Get(x.StrOf(Default)); dtr != nil {
-		// todo: a better way to determine whether Default is SystemDNS
-		// Default is usually SystemDNS if it is of type DNS53
-		defaultIsSystemDNS = dtr.Type().V() == DNS53
-	}
+	defaultIsSystemDNS := r.isDefaultSystemDNS()
 
 	// including dns64 and/or alg
 	ans, tid, err := r.forward(q, protect.UidSelf, Default)
@@ -1352,10 +1347,10 @@ func CanUseProxy(id string) bool {
 	switch id {
 	case Goos, CT + Goos, Local, CT + Local, System, CT + System:
 		return false
-	case Bootstrap, CT + Bootstrap, Default, CT + Default:
-		return false
 	case Preset, CT + Preset:
 		return false
+	case Default, CT + Default, Bootstrap, CT + Bootstrap:
+		return canProxyDefault()
 	}
 	return true
 }
@@ -1371,10 +1366,12 @@ func overrideProxyIfNeeded(pid string, ids ...string) string {
 			return NetExitProxy
 		case CT + Goos, CT + Local: // exit
 			return NetExitProxy
-		case Bootstrap, Default, System, Preset: // base
+		case System, Preset: // base
 			return NetBaseProxy
-		case CT + Bootstrap, CT + Default, CT + System, CT + Preset: // base
+		case CT + System, CT + Preset: // base
 			return NetBaseProxy
+		case Default, CT + Default, Bootstrap, CT + Bootstrap: // may be proxy
+			return proxyForDefault(pid)
 		}
 	}
 	return pid // as-is
@@ -1386,15 +1383,44 @@ func skipBlock(tr ...Transport) bool {
 			continue
 		}
 		switch idstr(t) { // Plus/CT+Plus to skip blocks conditionally?
-		case Default, BlockFree, Alg, Bootstrap:
+		case BlockFree, Alg:
 			return true
-		case CT + Default, CT + BlockFree, CT + Alg, CT + Bootstrap:
+		case CT + BlockFree, CT + Alg:
 			return true
+		case Default, CT + Default, Bootstrap, CT + Bootstrap:
+			return canBlockDefault()
 		}
 	}
 	return false
 }
 
+func (r *resolver) isDefaultSystemDNS() (y bool) {
+	if dtr, _ := r.GetInternal(Default); dtr != nil {
+		// todo: a better way to determine whether Default is SystemDNS
+		// Default is usually SystemDNS if it is of type DNS53
+		y = dtr.Type().V() == DNS53
+	}
+	return
+}
+
+func canBlockDefault() bool {
+	// TODO: check for gateway.split?
+	return settings.Loopingback.Load()
+}
+
+func canProxyDefault() bool {
+	// TODO: check for gateway.split?
+	// TODO: do not allow proxying when Default is mapped to Goos/System
+	return settings.Loopingback.Load()
+}
+
+func proxyForDefault(pid string) string {
+	if canProxyDefault() {
+		return pid
+	}
+	return NetBaseProxy
+}
+
 func skipInternalCache(tids ...string) bool {
 	return isAnyBlockAll(tids...)
 }
diff --git a/intra/doh/doh.go b/intra/doh/doh.go
@@ -130,7 +130,7 @@ func newTransport(ctx context.Context, typ, id, rawurl, otargeturl string, addrs
 
 	var renewed bool
 	var relay string
-	if id != dnsx.Bootstrap && px != nil {
+	if px != nil {
 		if p, _ := px.ProxyFor(id); p != nil {
 			relay = p.ID().V()
 		}
@@ -781,7 +781,8 @@ func (t *transport) Query(network string, q *dns.Msg, smm *x.DNSSummary) (r *dns
 	var elapsed time.Duration
 	var qerr *dnsx.QueryError
 
-	if t.id == dnsx.Bootstrap { // bootstrap/default never be proxied
+	canproxy := dnsx.CanUseProxy(t.id)
+	if !canproxy { // bootstrap/default may not be proxied
 		pid = dnsx.NetBaseProxy
 	} else if r := t.relay; len(r) > 0 {
 		pid = t.chooseProxy(r)
@@ -829,8 +830,8 @@ func (t *transport) Query(network string, q *dns.Msg, smm *x.DNSSummary) (r *dns
 		smm.Msg = err.Error()
 	}
 	if settings.Debug {
-		log.V("doh: (p/px/via %s/%s/%s); a:%d/sz:%d/pad:%d, q: %s:%d, data: %s, code: %d, via: %s, err? %v",
-			network, pid, rpid, xdns.Len(r), xdns.Size(r), xdns.EDNS0PadLen(r), smm.QName, smm.QType, smm.RData, smm.RCode, smm.PID, err)
+		log.V("doh: (p/px/via/can? %s/%s/%s/%t); a:%d/sz:%d/pad:%d, q: %s:%d, data: %s, code: %d, via: %s, err? %v",
+			network, pid, rpid, canproxy, xdns.Len(r), xdns.Size(r), xdns.EDNS0PadLen(r), smm.QName, smm.QType, smm.RData, smm.RCode, smm.PID, err)
 	}
 	return r, err
 }
