Skip to main content

Module dns

Module dns 

Source
Expand description

DNS interception via smoltcp UDP socket + async resolution.

UDP/53 queries flow through smoltcp to a bound UDP socket; the poll loop reads them and forwards via the forwarder task. TCP/53 connections are accepted as ordinary smoltcp TCP sockets, then handed to the tcp proxy which frames RFC 1035 §4.2.2 messages and routes them through the same shared forwarder. TCP/853 connections are handed to the dot proxy when TLS interception is configured: it terminates the guest’s TLS with a per-domain cert from the intercept CA, parses the same length-prefixed DNS frames, and routes them through the shared forwarder. All three transports enforce the same block list + rebind protection.

Alternative DNS-ish protocols on well-known ports (DoQ, mDNS, LLMNR, NetBIOS-NS) are refused at the stack layer — see ports. We don’t intercept them because their wire formats are encrypted (DoQ) or non-DNS (NetBIOS/mDNS/LLMNR multicast discovery), so the operator-configured block list + rebind protection couldn’t apply. Refusal forces the guest’s stub to fall back to plain DNS on port 53, which we do see. DoT without a configured intercept CA is refused the same way.

Re-exports§

pub use nameserver::Nameserver;
pub use nameserver::ParseNameserverError;

Modules§

interceptor
DNS query interception: the smoltcp ↔ channel bridge.
nameserver
Upstream DNS server discovery.