Skip to main content

microsandbox_network/dns/
mod.rs

1//! DNS interception via smoltcp UDP socket + async resolution.
2//!
3//! UDP/53 queries flow through smoltcp to a bound UDP socket; the poll
4//! loop reads them and forwards via the `forwarder` task. TCP/53
5//! connections are accepted as ordinary smoltcp TCP sockets, then
6//! handed to the `tcp` proxy which frames RFC 1035 §4.2.2 messages
7//! and routes them through the same shared forwarder. TCP/853
8//! connections are handed to the `dot` proxy when TLS interception is
9//! configured: it terminates the guest's TLS with a per-domain cert
10//! from the intercept CA, parses the same length-prefixed DNS frames,
11//! and routes them through the shared forwarder. All three transports
12//! enforce the same block list + rebind protection.
13//!
14//! Alternative DNS-ish protocols on well-known ports (DoQ, mDNS,
15//! LLMNR, NetBIOS-NS) are refused at the stack layer — see `ports`.
16//! We don't intercept them because their wire formats are encrypted
17//! (DoQ) or non-DNS (NetBIOS/mDNS/LLMNR multicast discovery), so the
18//! operator-configured block list + rebind protection couldn't apply.
19//! Refusal forces the guest's stub to fall back to plain DNS on port
20//! 53, which we do see. DoT without a configured intercept CA is
21//! refused the same way.
22
23pub(crate) mod common;
24pub mod interceptor;
25pub mod nameserver;
26pub(crate) mod proxies;
27
28mod client;
29pub(crate) mod forwarder;
30
31pub use nameserver::{Nameserver, ParseNameserverError};