Merge pull request #2 from nnemirovsky/feat/hostname-recovery

feat(proxy): recover hostnames from IP-only SOCKS5 requests via DNS cache

Author: nnemirovsky

internal/proxy/dns.go

@@ -21,6 +21,7 @@ type DNSInterceptor struct {
 	engine   *atomic.Pointer[policy.Engine]
 	audit    *audit.FileLogger
 	resolver string // upstream DNS resolver address (host:port)
+	reverse  *ReverseDNSCache
 }
 
 // NewDNSInterceptor creates a DNS interceptor that forwards allowed queries
@@ -37,9 +38,16 @@ func NewDNSInterceptor(engine *atomic.Pointer[policy.Engine], audit *audit.FileL
 		engine:   engine,
 		audit:    audit,
 		resolver: resolver,
+		reverse:  NewReverseDNSCache(),
 	}
 }
 
+// ReverseLookup returns the hostname for an IP if it was recently resolved
+// through this interceptor. Returns empty string if not found.
+func (d *DNSInterceptor) ReverseLookup(ip string) string {
+	return d.reverse.Lookup(ip)
+}
+
 // dnsTimeout bounds how long a single upstream DNS query can block.
 const dnsQueryTimeout = 5 * time.Second
 
@@ -253,7 +261,18 @@ func (d *DNSInterceptor) HandleQuery(query []byte) ([]byte, error) {
 		return BuildNXDOMAIN(query)
 	}
 
-	return d.forwardToResolver(query)
+	resp, fwdErr := d.forwardToResolver(query)
+	if fwdErr != nil {
+		return nil, fwdErr
+	}
+
+	// Populate reverse DNS cache from A/AAAA responses so the SOCKS5
+	// handler can recover hostnames from IP-only CONNECT requests.
+	if questions[0].Type == dnsTypeA || questions[0].Type == dnsTypeAAAA {
+		d.reverse.PopulateFromResponse(domain, resp)
+	}
+
+	return resp, nil
 }
 
 // evaluate checks the DNS domain against the policy engine. Uses

internal/proxy/dns_reverse.go

@@ -0,0 +1,148 @@
+package proxy
+
+import (
+	"encoding/binary"
+	"net"
+	"sync"
+	"time"
+)
+
+// ReverseDNSCache maps IP addresses to hostnames based on observed DNS
+// responses. This enables the SOCKS5 handler to recover the original hostname
+// when tun2proxy sends IP-only CONNECT requests (tun2proxy operates at the
+// network level and only sees resolved IPs, not hostnames).
+//
+// Entries expire after 10 minutes. The cache is bounded to 10000 entries.
+type ReverseDNSCache struct {
+	mu      sync.RWMutex
+	entries map[string]reverseDNSEntry
+}
+
+type reverseDNSEntry struct {
+	hostname string
+	addedAt  time.Time
+}
+
+const (
+	reverseDNSTTL     = 10 * time.Minute
+	reverseDNSMaxSize = 10000
+)
+
+// NewReverseDNSCache creates a new reverse DNS cache.
+func NewReverseDNSCache() *ReverseDNSCache {
+	return &ReverseDNSCache{
+		entries: make(map[string]reverseDNSEntry, 256),
+	}
+}
+
+// Store adds an IP -> hostname mapping to the cache.
+func (c *ReverseDNSCache) Store(ip, hostname string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if len(c.entries) >= reverseDNSMaxSize {
+		c.evictExpiredLocked()
+	}
+	if len(c.entries) >= reverseDNSMaxSize {
+		return
+	}
+
+	c.entries[ip] = reverseDNSEntry{
+		hostname: hostname,
+		addedAt:  time.Now(),
+	}
+}
+
+// Lookup returns the hostname for an IP, or empty string if not found or expired.
+func (c *ReverseDNSCache) Lookup(ip string) string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	entry, ok := c.entries[ip]
+	if !ok {
+		return ""
+	}
+	if time.Since(entry.addedAt) > reverseDNSTTL {
+		return ""
+	}
+	return entry.hostname
+}
+
+// PopulateFromResponse parses a DNS response and extracts A/AAAA records,
+// storing the IP -> hostname mappings.
+func (c *ReverseDNSCache) PopulateFromResponse(hostname string, resp []byte) {
+	if len(resp) < dnsHeaderLen {
+		return
+	}
+
+	flags := binary.BigEndian.Uint16(resp[2:4])
+	if flags&dnsFlagQR == 0 {
+		return // not a response
+	}
+	if flags&0x000F != 0 {
+		return // error response
+	}
+
+	qdcount := int(binary.BigEndian.Uint16(resp[4:6]))
+	ancount := int(binary.BigEndian.Uint16(resp[6:8]))
+	if ancount == 0 {
+		return
+	}
+
+	// Skip question section.
+	offset := dnsHeaderLen
+	for i := 0; i < qdcount; i++ {
+		_, newOffset, err := parseDNSName(resp, offset)
+		if err != nil {
+			return
+		}
+		offset = newOffset + 4
+		if offset > len(resp) {
+			return
+		}
+	}
+
+	// Parse answer records.
+	for i := 0; i < ancount; i++ {
+		_, newOffset, err := parseDNSName(resp, offset)
+		if err != nil {
+			return
+		}
+		offset = newOffset
+		if offset+10 > len(resp) {
+			return
+		}
+
+		rrType := binary.BigEndian.Uint16(resp[offset : offset+2])
+		rdLength := binary.BigEndian.Uint16(resp[offset+8 : offset+10])
+		offset += 10
+
+		if offset+int(rdLength) > len(resp) {
+			return
+		}
+
+		switch rrType {
+		case dnsTypeA:
+			if rdLength == 4 {
+				ip := net.IPv4(resp[offset], resp[offset+1], resp[offset+2], resp[offset+3])
+				c.Store(ip.String(), hostname)
+			}
+		case dnsTypeAAAA:
+			if rdLength == 16 {
+				ip := net.IP(resp[offset : offset+16])
+				c.Store(ip.String(), hostname)
+			}
+		}
+
+		offset += int(rdLength)
+	}
+}
+
+func (c *ReverseDNSCache) evictExpiredLocked() {
+	now := time.Now()
+	for ip, entry := range c.entries {
+		if now.Sub(entry.addedAt) > reverseDNSTTL {
+			delete(c.entries, ip)
+		}
+	}
+}

internal/proxy/server.go

@@ -190,12 +190,13 @@ func (r *policyResolver) Resolve(ctx context.Context, name string) (context.Cont
 }
 
 type policyRuleSet struct {
-	engine     *atomic.Pointer[policy.Engine]
-	reloadMu   *sync.Mutex // serializes engine swaps and dynamic rule mutations
-	audit      *audit.FileLogger
-	broker     *channel.Broker
-	store      *store.Store
-	selfBypass map[string]bool // host:port addresses that bypass policy (sluice's own listeners)
+	engine         *atomic.Pointer[policy.Engine]
+	reloadMu       *sync.Mutex // serializes engine swaps and dynamic rule mutations
+	audit          *audit.FileLogger
+	broker         *channel.Broker
+	store          *store.Store
+	selfBypass     map[string]bool // host:port addresses that bypass policy (sluice's own listeners)
+	dnsInterceptor *DNSInterceptor // reverse DNS cache for IP -> hostname recovery
 }
 
 func (r *policyRuleSet) Allow(ctx context.Context, req *socks5.Request) (context.Context, bool) {
@@ -210,7 +211,21 @@ func (r *policyRuleSet) Allow(ctx context.Context, req *socks5.Request) (context
 	dest := req.DestAddr.FQDN
 	if dest == "" {
 		if req.DestAddr.IP != nil {
-			dest = req.DestAddr.IP.String()
+			ipStr := req.DestAddr.IP.String()
+			// Recover hostname from DNS reverse cache. tun2proxy operates
+			// at the network level and sends IP-only CONNECT requests.
+			// The DNS interceptor caches IP -> hostname mappings from
+			// responses, so we can show hostnames in approval messages
+			// and evaluate hostname-based policy rules.
+			if r.dnsInterceptor != nil {
+				if hostname := r.dnsInterceptor.ReverseLookup(ipStr); hostname != "" {
+					dest = hostname
+				} else {
+					dest = ipStr
+				}
+			} else {
+				dest = ipStr
+			}
 		} else {
 			return ctx, false
 		}
@@ -412,15 +427,15 @@ func New(cfg Config) (*Server, error) {
 		}
 	}
 
-	rules := &policyRuleSet{engine: enginePtr, reloadMu: reloadMu, audit: cfg.Audit, broker: cfg.Broker, store: cfg.Store, selfBypass: bypassSet}
-	dnsRes := &policyResolver{engine: enginePtr, audit: cfg.Audit, broker: cfg.Broker}
-	srv.rules = rules
-	srv.dnsResolver = dnsRes
-
 	// Create UDP relay and DNS interceptor for UDP ASSOCIATE sessions.
 	srv.udpRelay = NewUDPRelay(enginePtr, cfg.Audit)
 	srv.dnsInterceptor = NewDNSInterceptor(enginePtr, cfg.Audit, cfg.DNSResolver)
 
+	rules := &policyRuleSet{engine: enginePtr, reloadMu: reloadMu, audit: cfg.Audit, broker: cfg.Broker, store: cfg.Store, selfBypass: bypassSet, dnsInterceptor: srv.dnsInterceptor}
+	dnsRes := &policyResolver{engine: enginePtr, audit: cfg.Audit, broker: cfg.Broker}
+	srv.rules = rules
+	srv.dnsResolver = dnsRes
+
 	srv.socks = socks5.NewServer(
 		socks5.WithRule(rules),
 		socks5.WithResolver(dnsRes),