[tunnel] allow configuring of dns relay

Author: theRealWardo

cmd/backplane/main.go

@@ -95,7 +95,8 @@ var (
 
 wsRouterPort = flag.Int("ws_router_port", 8082, "Port for the WebSocket router.")
 
-dnsPort = flag.Int("dns_port", 8053, "Port for the DNS server.")
+dnsPort = flag.Int("dns_port", 8053, "Port for the DNS server.")
+tunnelDNSAddr = flag.String("tunnel_dns_addr", "127.0.0.1:8053", "Address for the DNS server run by tunnel agents.")
 )
 
 func upsertProxyFromPath(ctx context.Context, rC *rest.Config, path string) (string, error) {
@@ -341,7 +342,7 @@ func main() {
 log.Fatalf("failed to set up EdgeFunction controller: %v", err)
 }
 
-tunnelResolver := tundns.NewTunnelNodeDNSReconciler(mgr.GetClient())
+tunnelResolver := tundns.NewTunnelNodeDNSReconciler(mgr.GetClient(), *tunnelDNSAddr)
 if err := tunnelResolver.SetupWithManager(mgr); err != nil {
 log.Fatalf("failed to set up TunnelNodeDNS controller: %v", err)
 }

pkg/cmd/tunnel/cmd.go

@@ -219,6 +219,7 @@ func init() {
 tunnelRunCmd.Flags().StringSliceVar(&preserveDefaultGw, "preserve-default-gw-dsts", []string{}, "Preserve default gateway.")
 tunnelRunCmd.Flags().StringVar(&socksListenAddr, "socks-addr", "localhost:1080", "Listen address for SOCKS proxy.")
 tunnelRunCmd.Flags().IntVar(&minConns, "min-conns", 1, "Minimum number of connections to maintain.")
+tunnelRunCmd.Flags().StringVar(&dnsListenAddr, "dns-addr", "127.0.0.1:8053", "Listen address for the DNS proxy. Note that you must configure backplane to use this address as well.")
 
 tunnelCmd.AddCommand(createCmd)
 tunnelCmd.AddCommand(getCmd)

pkg/cmd/tunnel/run.go

@@ -55,6 +55,7 @@ var (
 preserveDefaultGw []string
 socksListenAddr string
 minConns int
+dnsListenAddr string
 
 preserveDefaultGwDsts []netip.Prefix
 )
@@ -116,7 +117,7 @@ var tunnelRunCmd = &cobra.Command{
 go func() {
 // Launch an internal recursive DNS resolver used
 // to resolve addresses of IPv4 services.
-if err := dns.ListenAndServe("127.0.0.53:8053"); err != nil {
+if err := dns.ListenAndServe(dnsListenAddr); err != nil {
 log.Fatalf("failed to start DNS server: %v", err)
 }
 }()

pkg/tunnel/dns/resolver.go

@@ -37,14 +37,21 @@ type TunnelNodeDNSReconciler struct {
 
 nameCache *haxmap.Map[string, sets.Set[netip.Addr]]
 uuidCache *haxmap.Map[string, sets.Set[netip.Addr]]
+
+tunnelDNSAddr netip.AddrPort
 }
 
 // NewTunnelNodeDNSReconciler creates a new TunnelNodeDNSReconciler.
-func NewTunnelNodeDNSReconciler(client client.Client) *TunnelNodeDNSReconciler {
+func NewTunnelNodeDNSReconciler(client client.Client, tunnelDNSAddr string) *TunnelNodeDNSReconciler {
+ap, err := netip.ParseAddrPort(tunnelDNSAddr)
+if err != nil {
+apoxylog.Fatalf("failed to parse tunnel DNS address and port: %v", err)
+}
 return &TunnelNodeDNSReconciler{
-Client: client,
-nameCache: haxmap.New[string, sets.Set[netip.Addr]](),
-uuidCache: haxmap.New[string, sets.Set[netip.Addr]](),
+Client: client,
+nameCache: haxmap.New[string, sets.Set[netip.Addr]](),
+uuidCache: haxmap.New[string, sets.Set[netip.Addr]](),
+tunnelDNSAddr: ap,
 }
 }
 
@@ -224,12 +231,13 @@ func (r *TunnelNodeDNSReconciler) recursiveResolve(ctx context.Context, w dns.Re
 var addr string
 if ip.Is6() {
 ipv6Bytes := ip.As16()
-ipv6Bytes[12] = 127
-ipv6Bytes[13] = 0
-ipv6Bytes[14] = 0
-ipv6Bytes[15] = 53
+ipv4Bytes := r.tunnelDNSAddr.Addr().As4()
+ipv6Bytes[12] = ipv4Bytes[0]
+ipv6Bytes[13] = ipv4Bytes[1]
+ipv6Bytes[14] = ipv4Bytes[2]
+ipv6Bytes[15] = ipv4Bytes[3]
 targetIP := netip.AddrFrom16(ipv6Bytes)
-addr = fmt.Sprintf("[%s]:8053", targetIP.String())
+addr = fmt.Sprintf("[%s]:%d", targetIP.String(), r.tunnelDNSAddr.Port())
 } else {
 apoxylog.Debugf("non-IPv6 address %s, skipping", ip.String())
 continue