fix: use DNAT to intercept all DNS queries

ammario · claude · ammario · commit b8f4832549bc · 2025-11-02T19:09:17.000-06:00
Previously, httpjail attempted to control DNS by manipulating /etc/resolv.conf via /etc/netns/<namespace>/ directories. This approach was broken because: 1. The auto-bind-mount feature of `ip netns` fails when /etc/resolv.conf is a symlink (common on systemd systems) 2. Created persistent resources (/etc/netns/ directories) that could leak 3. Depended on the host's /etc/resolv.conf configuration This commit removes all DNS file manipulation (~200 lines) and instead uses nftables DNAT to intercept ALL DNS queries at the network layer: - Add DNAT rule: `udp dport 53 dnat to {host_ip}` - DNS queries to any nameserver (8.8.8.8, 1.1.1.1, etc.) are transparently redirected to our dummy DNS server - No mounts, no persistent files, completely independent of host config - Simple, robust, portable across all Linux systems Changes: - nftables.rs: Add DNS DNAT rule in namespace output chain - mod.rs: Remove fix_systemd_resolved_dns() and ensure_namespace_dns() - resources.rs: Remove NamespaceConfig resource - mod.rs: Remove namespace_config field from LinuxJail struct All 23 integration tests pass on ci-1. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/jail/linux/mod.rs b/src/jail/linux/mod.rs
@@ -10,7 +10,7 @@ use super::JailConfig;
 use crate::sys_resource::ManagedResource;
 use anyhow::{Context, Result};
 use dns::DummyDnsServer;
-use resources::{NFTable, NamespaceConfig, NetworkNamespace, VethPair};
+use resources::{NFTable, NetworkNamespace, VethPair};
 use std::process::{Command, ExitStatus};
 use std::sync::{Arc, Mutex};
 use tracing::{debug, info, warn};
@@ -65,7 +65,6 @@ pub struct LinuxJail {
     config: JailConfig,
     namespace: Option<ManagedResource<NetworkNamespace>>,
     veth_pair: Option<ManagedResource<VethPair>>,
-    namespace_config: Option<ManagedResource<NamespaceConfig>>,
     nftables: Option<ManagedResource<NFTable>>,
     dns_server: Option<Arc<Mutex<DummyDnsServer>>>,
     // Per-jail computed networking (unique /30 inside 10.99/16)
@@ -83,7 +82,6 @@ impl LinuxJail {
             config,
             namespace: None,
             veth_pair: None,
-            namespace_config: None,
             nftables: None,
             dns_server: None,
             host_ip,
@@ -210,10 +208,6 @@ impl LinuxJail {
         let namespace_name = self.namespace_name();
         let veth_ns = self.veth_ns();
 
-        // Ensure DNS is properly configured in the namespace
-        // This is a fallback in case the bind mount didn't work
-        self.ensure_namespace_dns()?;
-
         // Format the host IP once
         let host_ip = format_ip(self.host_ip);
 
@@ -370,212 +364,6 @@ impl LinuxJail {
         Ok(())
     }
 
-    /// Fix DNS resolution in network namespaces
-    ///
-    /// ## The DNS Problem
-    ///
-    /// Network namespaces have isolated network stacks, including their own loopback.
-    /// When we create a namespace, it gets a copy of /etc/resolv.conf from the host.
-    ///
-    /// Common issues:
-    /// 1. **systemd-resolved**: Points to 127.0.0.53 which doesn't exist in the namespace
-    /// 2. **Local DNS**: Any local DNS resolver (127.0.0.1, etc.) won't be accessible
-    /// 3. **Corporate DNS**: Internal DNS servers might not be reachable from the namespace
-    /// 4. **CI environments**: Often have minimal or no DNS configuration
-    ///
-    /// ## Why We Can't Route Loopback Traffic to the Host
-    ///
-    /// You might think: "Just route 127.0.0.0/8 from the namespace to the host!"
-    /// This doesn't work due to Linux kernel security:
-    ///
-    /// 1. **Martian Packet Protection**: The kernel considers packets with 127.x.x.x
-    ///    addresses coming from non-loopback interfaces as "martian" (impossible/spoofed)
-    /// 2. **Source Address Validation**: Even with rp_filter=0, the kernel won't accept
-    ///    127.x.x.x packets from external interfaces
-    /// 3. **Built-in Security**: This is hardcoded in the kernel's IP stack for security -
-    ///    loopback addresses should NEVER appear on the network
-    ///
-    /// Even if we tried:
-    /// - `ip route add 127.0.0.53/32 via 10.99.X.1` - packets get dropped
-    /// - `nftables DNAT` to rewrite 127.0.0.53 -> host IP - happens too late
-    /// - Disabling rp_filter - doesn't help with loopback addresses
-    ///
-    /// ## Our Solution
-    ///
-    /// Instead of fighting the kernel's security measures, we:
-    /// 1. Always create a custom resolv.conf for the namespace
-    /// 2. Use public DNS servers (Google's 8.8.8.8 and 8.8.4.4)
-    /// 3. These DNS queries go out through our veth pair and work normally
-    ///
-    /// **IMPORTANT**: `ip netns add` automatically bind-mounts files from
-    /// /etc/netns/<namespace-name>/ to /etc/ inside the namespace when the namespace
-    /// is created. We MUST create /etc/netns/<namespace-name>/resolv.conf BEFORE
-    /// creating the namespace for this to work. This overrides /etc/resolv.conf
-    /// ONLY for processes running in the namespace. The host's /etc/resolv.conf
-    /// remains completely untouched.
-    ///
-    /// This is simpler, more reliable, and doesn't compromise security.
-    fn fix_systemd_resolved_dns(&mut self) -> Result<()> {
-        let namespace_name = self.namespace_name();
-
-        // Always create namespace config resource and custom resolv.conf
-        // This ensures DNS works in all environments, not just systemd-resolved
-        info!(
-            "Setting up DNS for namespace {} with custom resolv.conf",
-            namespace_name
-        );
-
-        // Ensure /etc/netns/<namespace>/ directory exists
-        let netns_namespace_dir = format!("/etc/netns/{}", namespace_name);
-
-        // Use mkdir -p to ensure directory exists (more robust than Rust's create_dir_all)
-        let mkdir_output = Command::new("mkdir")
-            .args(["-p", &netns_namespace_dir])
-            .output()
-            .context("Failed to execute mkdir")?;
-
-        if !mkdir_output.status.success() {
-            anyhow::bail!(
-                "Failed to create directory {}: {}",
-                netns_namespace_dir,
-                String::from_utf8_lossy(&mkdir_output.stderr)
-            );
-        }
-
-        // Verify directory exists
-        if !std::path::Path::new(&netns_namespace_dir).is_dir() {
-            anyhow::bail!(
-                "Directory {} does not exist after creation",
-                netns_namespace_dir
-            );
-        }
-
-        debug!("Created directory: {}", netns_namespace_dir);
-
-        // Write custom resolv.conf that will be bind-mounted into the namespace
-        // Point directly to the host's veth IP where our DNS server listens
-        let resolv_conf_path = format!("{}/resolv.conf", netns_namespace_dir);
-        let host_ip = format_ip(self.host_ip);
-        let resolv_conf_content = format!(
-            "# Custom DNS for httpjail namespace\n\
-# Points to dummy DNS server on host to prevent exfiltration\n\
-nameserver {}\n",
-            host_ip
-        );
-        std::fs::write(&resolv_conf_path, &resolv_conf_content)
-            .context("Failed to write namespace-specific resolv.conf")?;
-
-        info!(
-            "Created namespace-specific resolv.conf at {} pointing to local DNS server",
-            resolv_conf_path
-        );
-
-        // Verify the file was created
-        if !std::path::Path::new(&resolv_conf_path).exists() {
-            anyhow::bail!("Failed to create resolv.conf at {}", resolv_conf_path);
-        }
-
-        // Create namespace config resource for cleanup tracking
-        // IMPORTANT: Create this AFTER writing resolv.conf to ensure the file exists
-        self.namespace_config = Some(ManagedResource::<NamespaceConfig>::create(
-            &self.config.jail_id,
-        )?);
-
-        Ok(())
-    }
-
-    /// Ensure DNS works in the namespace by copying resolv.conf if needed
-    #[allow(clippy::collapsible_if)]
-    fn ensure_namespace_dns(&self) -> Result<()> {
-        let namespace_name = self.namespace_name();
-
-        // Check if DNS is already working by testing /etc/resolv.conf in namespace
-        let check_cmd = Command::new("ip")
-            .args(["netns", "exec", &namespace_name, "cat", "/etc/resolv.conf"])
-            .output();
-
-        let needs_fix = if let Ok(output) = check_cmd {
-            if !output.status.success() {
-                info!("Cannot read /etc/resolv.conf in namespace, will fix DNS");
-                true
-            } else {
-                let content = String::from_utf8_lossy(&output.stdout);
-                // Check if it's pointing to systemd-resolved or is empty
-                if content.is_empty() || content.contains("127.0.0.53") {
-                    info!("DNS points to systemd-resolved or is empty in namespace, will fix");
-                    true
-                } else if content.contains("nameserver") {
-                    info!("DNS already configured in namespace {}", namespace_name);
-                    false
-                } else {
-                    info!("No nameserver found in namespace resolv.conf, will fix");
-                    true
-                }
-            }
-        } else {
-            info!("Failed to check DNS in namespace, will attempt fix");
-            true
-        };
-
-        if !needs_fix {
-            return Ok(());
-        }
-
-        // DNS not working, try to fix it by copying a working resolv.conf
-        info!(
-            "Fixing DNS in namespace {} by copying resolv.conf",
-            namespace_name
-        );
-
-        // Setup DNS for the namespace
-        // Create a temporary resolv.conf before running the nsenter command
-        let temp_dir = crate::jail::get_temp_dir();
-        std::fs::create_dir_all(&temp_dir).ok();
-        let temp_resolv = temp_dir
-            .join(format!("httpjail_resolv_{}.conf", &namespace_name))
-            .to_string_lossy()
-            .to_string();
-        // Use the host veth IP where our dummy DNS server listens
-        let host_ip = format_ip(self.host_ip);
-        let dns_content = format!("nameserver {}\n", host_ip);
-        std::fs::write(&temp_resolv, &dns_content)
-            .with_context(|| format!("Failed to create temp resolv.conf: {}", temp_resolv))?;
-
-        // SAFE FALLBACK: Update the /etc/netns/<name>/resolv.conf file
-        // This avoids dangerous operations inside the namespace that could escape isolation.
-        //
-        // IMPORTANT: We do NOT use bind mounts inside namespaces because:
-        // 1. `ip netns exec` only enters the network namespace, NOT the mount namespace
-        // 2. Bind mounting /etc/resolv.conf (which is a symlink) in the host mount namespace
-        //    will follow the symlink and corrupt /run/systemd/resolve/stub-resolv.conf on the HOST
-        // 3. This breaks DNS for the entire system, not just the namespace
-        //
-        // Instead, we update /etc/netns/<name>/resolv.conf which should have been automatically
-        // bind-mounted by the kernel when the namespace was created.
-        let netns_resolv_path = format!("/etc/netns/{}/resolv.conf", namespace_name);
-
-        match std::fs::write(&netns_resolv_path, &dns_content) {
-            Ok(_) => {
-                info!(
-                    "Updated namespace-specific resolv.conf at {}",
-                    netns_resolv_path
-                );
-            }
-            Err(e) => {
-                warn!(
-                    "Failed to update {}: {}. DNS may not work in namespace. \
-                     This is safe but the namespace will not have working DNS.",
-                    netns_resolv_path, e
-                );
-            }
-        }
-
-        // Clean up temp file
-        let _ = std::fs::remove_file(&temp_resolv);
-
-        Ok(())
-    }
-
     /// Start the dummy DNS server in the namespace
     fn start_dns_server(&mut self) -> Result<()> {
         let namespace_name = self.namespace_name();
@@ -619,10 +407,6 @@ impl Jail for LinuxJail {
         // Check for root access
         Self::check_root()?;
 
-        // Fix DNS BEFORE creating namespace so bind mount works
-        // The /etc/netns/<namespace>/ directory must exist before namespace creation
-        self.fix_systemd_resolved_dns()?;
-
         // Create network namespace
         self.create_namespace()?;
 
@@ -768,7 +552,6 @@ impl Jail for LinuxJail {
         // When these go out of scope, they will clean themselves up
         let _namespace = ManagedResource::<NetworkNamespace>::for_existing(jail_id);
         let _veth = ManagedResource::<VethPair>::for_existing(jail_id);
-        let _config = ManagedResource::<NamespaceConfig>::for_existing(jail_id);
         let _nftables = ManagedResource::<NFTable>::for_existing(jail_id);
 
         Ok(())
@@ -783,7 +566,6 @@ impl Clone for LinuxJail {
             config: self.config.clone(),
             namespace: None,
             veth_pair: None,
-            namespace_config: None,
             nftables: None,
             dns_server: None,
             host_ip: self.host_ip,
diff --git a/src/jail/linux/nftables.rs b/src/jail/linux/nftables.rs
@@ -123,10 +123,14 @@ table ip {table_name} {{
         let ruleset = format!(
             r#"
 table ip {table_name} {{
-    # NAT output chain: redirect HTTP/HTTPS to host proxy
+    # NAT output chain: redirect HTTP/HTTPS/DNS to host
     chain output {{
         type nat hook output priority -100; policy accept;
 
+        # Redirect all DNS queries to our dummy DNS server on host
+        # This works regardless of what nameserver is in /etc/resolv.conf
+        udp dport 53 dnat to {host_ip}
+
         # Redirect HTTP to proxy running on host
         tcp dport 80 dnat to {host_ip}:{http_port}
 
@@ -141,7 +145,7 @@ table ip {table_name} {{
         # Always allow established/related traffic
         ct state established,related accept
 
-        # Allow DNS traffic directly to the host (UDP only)
+        # Allow DNS traffic to the host (after DNAT redirection)
         ip daddr {host_ip} udp dport 53 accept
 
         # Allow traffic to the host proxy ports after DNAT
diff --git a/src/jail/linux/resources.rs b/src/jail/linux/resources.rs
@@ -145,57 +145,6 @@ impl SystemResource for VethPair {
     }
 }
 
-/// Namespace configuration directory (/etc/netns/<namespace>)
-pub struct NamespaceConfig {
-    path: String,
-    created: bool,
-}
-
-impl SystemResource for NamespaceConfig {
-    fn create(jail_id: &str) -> Result<Self> {
-        let namespace_name = format!("httpjail_{}", jail_id);
-        let path = format!("/etc/netns/{}", namespace_name);
-
-        // Create directory if needed
-        if !std::path::Path::new(&path).exists() {
-            std::fs::create_dir_all(&path)
-                .context("Failed to create namespace config directory")?;
-            debug!("Created namespace config directory: {}", path);
-        }
-
-        Ok(Self {
-            path,
-            created: true,
-        })
-    }
-
-    fn cleanup(&mut self) -> Result<()> {
-        if !self.created {
-            return Ok(());
-        }
-
-        if std::path::Path::new(&self.path).exists() {
-            if let Err(e) = std::fs::remove_dir_all(&self.path) {
-                // Log but don't fail
-                debug!("Failed to remove namespace config directory: {}", e);
-            } else {
-                debug!("Removed namespace config directory: {}", self.path);
-            }
-        }
-
-        self.created = false;
-        Ok(())
-    }
-
-    fn for_existing(jail_id: &str) -> Self {
-        let namespace_name = format!("httpjail_{}", jail_id);
-        Self {
-            path: format!("/etc/netns/{}", namespace_name),
-            created: true,
-        }
-    }
-}
-
 /// NFTable resource wrapper for a jail
 pub struct NFTable {
     #[allow(dead_code)]
