Configure DNS interfaces

maksimkurb · maksimkurb · commit 7e63bd1a6dd5 · 2025-11-24T21:16:14.000+05:00
diff --git a/src/internal/config/types.go b/src/internal/config/types.go
@@ -35,6 +35,7 @@ type GeneralConfig struct {
 	DNSCacheMaxDomains int      `toml:"dns_cache_max_domains" json:"dns_cache_max_domains" comment:"Maximum number of domains to cache in DNS proxy (default: 1000)"`
 	DropAAAA           *bool    `toml:"drop_aaaa" json:"drop_aaaa" comment:"Drop AAAA (IPv6) DNS responses (default: true)"`
 	TTLOverride        int      `toml:"ttl_override" json:"ttl_override" comment:"Override TTL for DNS responses in seconds (0 = use original TTL)"`
+	DNSProxyInterfaces []string `toml:"dns_proxy_interfaces" json:"dns_proxy_interfaces" comment:"Interfaces to intercept DNS traffic on (default: [\"br0\", \"br1\"])"`
 }
 
 // IsAPIEnabled returns whether REST API and web UI is enabled (default: true).
@@ -136,6 +137,14 @@ func (gc *GeneralConfig) GetTTLOverride() uint32 {
 	return uint32(gc.TTLOverride)
 }
 
+// GetDNSProxyInterfaces returns the interfaces to intercept DNS traffic on (default: ["br0", "br1"]).
+func (gc *GeneralConfig) GetDNSProxyInterfaces() []string {
+	if len(gc.DNSProxyInterfaces) == 0 {
+		return []string{"br0", "br1"}
+	}
+	return gc.DNSProxyInterfaces
+}
+
 type IPSetConfig struct {
 	IPSetName           string          `toml:"ipset_name" json:"ipset_name" comment:"Name of the ipset."`
 	Lists               []string        `toml:"lists" json:"lists" comment:"Add all hosts from the following lists to this ipset."`
diff --git a/src/internal/networking/component_dns_redirect.go b/src/internal/networking/component_dns_redirect.go
@@ -2,6 +2,7 @@ package networking
 
 import (
 	"fmt"
+	"net"
 	"strconv"
 	"strings"
 
@@ -26,14 +27,15 @@ type DNSRedirectComponent struct {
 	targetIPv4 string
 	targetIPv6 string
 	targetPort uint16
+	interfaces []string
 	ipt4       *iptables.IPTables
 	ipt6       *iptables.IPTables
 }
 
 // NewDNSRedirectComponent creates a new component for DNS redirection.
 // listenAddr is the address the DNS proxy listens on (e.g., "[::]" for dual-stack).
 // When listenAddr is "[::]" (dual-stack), redirects to localhost (::1 for IPv6, 127.0.0.1 for IPv4).
-func NewDNSRedirectComponent(listenAddr string, targetPort uint16) (*DNSRedirectComponent, error) {
+func NewDNSRedirectComponent(listenAddr string, targetPort uint16, interfaces []string) (*DNSRedirectComponent, error) {
 	ipt4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create iptables (IPv4): %w", err)
@@ -66,6 +68,7 @@ func NewDNSRedirectComponent(listenAddr string, targetPort uint16) (*DNSRedirect
 		targetIPv4: targetIPv4,
 		targetIPv6: targetIPv6,
 		targetPort: targetPort,
+		interfaces: interfaces,
 		ipt4:       ipt4,
 		ipt6:       ipt6,
 	}, nil
@@ -113,7 +116,7 @@ func (c *DNSRedirectComponent) CreateIfNotExists() error {
 	}
 
 	// Get all local addresses
-	addresses, err := getLocalAddresses()
+	addresses, err := c.getLocalAddresses()
 	if err != nil {
 		return fmt.Errorf("failed to get local addresses: %w", err)
 	}
@@ -225,47 +228,64 @@ func (c *DNSRedirectComponent) createChainAndRules(ipt *iptables.IPTables, addre
 		}
 	}
 
-	// Get list of interfaces instead of addresses
-	links, err := netlink.LinkList()
-	if err != nil {
-		return fmt.Errorf("failed to list links: %w", err)
-	}
-
-	// Create a set of unique interface names to avoid duplicates
-	interfaceSet := make(map[string]bool)
-	for _, link := range links {
-		ifName := link.Attrs().Name
-		// Skip loopback interface
-		if ifName == "lo" {
+	// Add rules for each address
+	for _, addr := range addresses {
+		// Check if address matches current iptables protocol
+		isIPv4 := len(addr.IP) == net.IPv4len
+		if ipt.Proto() == iptables.ProtocolIPv4 && !isIPv4 {
 			continue
 		}
-		interfaceSet[ifName] = true
-	}
-
-	// Add rules for each interface
-	// Match on incoming interface + destination port 53, redirect to target port
-	// This works for all IP addresses (IPv4, global IPv6, link-local IPv6)
-	for ifName := range interfaceSet {
-		udpRule := []string{
-			"-i", ifName,
-			"-p", "udp",
-			"--dport", strconv.Itoa(dnsSourcePort),
-			"-j", "REDIRECT",
-			"--to-ports", strconv.Itoa(int(c.targetPort)),
-		}
-		if err := ipt.AppendUnique("nat", dnsRedirectChainName, udpRule...); err != nil {
-			return fmt.Errorf("failed to add UDP rule for %s: %w", ifName, err)
+		if ipt.Proto() == iptables.ProtocolIPv6 && isIPv4 {
+			continue
 		}
 
-		tcpRule := []string{
-			"-i", ifName,
-			"-p", "tcp",
-			"--dport", strconv.Itoa(dnsSourcePort),
-			"-j", "REDIRECT",
-			"--to-ports", strconv.Itoa(int(c.targetPort)),
-		}
-		if err := ipt.AppendUnique("nat", dnsRedirectChainName, tcpRule...); err != nil {
-			return fmt.Errorf("failed to add TCP rule for %s: %w", ifName, err)
+		// IPv4: Use REDIRECT with explicit destination IP
+		if ipt.Proto() == iptables.ProtocolIPv4 {
+			udpRule := []string{
+				"-d", addr.IP.String(),
+				"-p", "udp",
+				"--dport", strconv.Itoa(dnsSourcePort),
+				"-j", "REDIRECT",
+				"--to-ports", strconv.Itoa(int(c.targetPort)),
+			}
+			if err := ipt.AppendUnique("nat", dnsRedirectChainName, udpRule...); err != nil {
+				return fmt.Errorf("failed to add UDP rule for %s: %w", addr.IP, err)
+			}
+
+			tcpRule := []string{
+				"-d", addr.IP.String(),
+				"-p", "tcp",
+				"--dport", strconv.Itoa(dnsSourcePort),
+				"-j", "REDIRECT",
+				"--to-ports", strconv.Itoa(int(c.targetPort)),
+			}
+			if err := ipt.AppendUnique("nat", dnsRedirectChainName, tcpRule...); err != nil {
+				return fmt.Errorf("failed to add TCP rule for %s: %w", addr.IP, err)
+			}
+		} else {
+			// IPv6: Use DNAT to :port (preserves destination IP)
+			// This fixes Source IP selection for Link-Local addresses
+			udpRule := []string{
+				"-d", addr.IP.String() + "/128",
+				"-p", "udp",
+				"--dport", strconv.Itoa(dnsSourcePort),
+				"-j", "DNAT",
+				"--to-destination", fmt.Sprintf(":%d", c.targetPort),
+			}
+			if err := ipt.AppendUnique("nat", dnsRedirectChainName, udpRule...); err != nil {
+				return fmt.Errorf("failed to add UDP rule for %s: %w", addr.IP, err)
+			}
+
+			tcpRule := []string{
+				"-d", addr.IP.String() + "/128",
+				"-p", "tcp",
+				"--dport", strconv.Itoa(dnsSourcePort),
+				"-j", "DNAT",
+				"--to-destination", fmt.Sprintf(":%d", c.targetPort),
+			}
+			if err := ipt.AppendUnique("nat", dnsRedirectChainName, tcpRule...); err != nil {
+				return fmt.Errorf("failed to add TCP rule for %s: %w", addr.IP, err)
+			}
 		}
 	}
 
@@ -294,15 +314,26 @@ func (c *DNSRedirectComponent) deleteChainAndRules(ipt *iptables.IPTables) {
 	}
 }
 
-// getLocalAddresses returns all local IP addresses.
-func getLocalAddresses() ([]netlink.Addr, error) {
+// getLocalAddresses returns all local IP addresses for configured interfaces.
+func (c *DNSRedirectComponent) getLocalAddresses() ([]netlink.Addr, error) {
 	links, err := netlink.LinkList()
 	if err != nil {
 		return nil, fmt.Errorf("failed to list links: %w", err)
 	}
 
+	// Create map for fast lookup of configured interfaces
+	configuredInterfaces := make(map[string]bool)
+	for _, iface := range c.interfaces {
+		configuredInterfaces[iface] = true
+	}
+
 	var addresses []netlink.Addr
 	for _, link := range links {
+		// Filter interfaces
+		if !configuredInterfaces[link.Attrs().Name] {
+			continue
+		}
+
 		addrs, err := netlink.AddrList(link, netlink.FAMILY_ALL)
 		if err != nil {
 			log.Debugf("Failed to get addresses for %s: %v", link.Attrs().Name, err)
diff --git a/src/internal/networking/global_component_builder.go b/src/internal/networking/global_component_builder.go
@@ -13,6 +13,8 @@ type DNSRedirectConfig struct {
 	ListenAddr string
 	// ListenPort is the port the DNS proxy listens on
 	ListenPort uint16
+	// Interfaces to intercept DNS traffic on
+	Interfaces []string
 }
 
 // GlobalConfig contains configuration for global (service-level) components.
@@ -27,6 +29,7 @@ func GlobalConfigFromAppConfig(cfg *config.Config) GlobalConfig {
 			Enabled:    cfg.General.IsDNSProxyEnabled(),
 			ListenAddr: cfg.General.GetDNSProxyListenAddr(),
 			ListenPort: uint16(cfg.General.GetDNSProxyPort()),
+			Interfaces: cfg.General.GetDNSProxyInterfaces(),
 		},
 	}
 }
@@ -61,7 +64,7 @@ func (b *GlobalComponentBuilder) BuildComponents(cfg GlobalConfig) ([]Networking
 
 	// DNS Redirect component (only if DNS proxy is enabled)
 	if cfg.DNSRedirect.Enabled {
-		dnsRedirect, err := NewDNSRedirectComponent(cfg.DNSRedirect.ListenAddr, cfg.DNSRedirect.ListenPort)
+		dnsRedirect, err := NewDNSRedirectComponent(cfg.DNSRedirect.ListenAddr, cfg.DNSRedirect.ListenPort, cfg.DNSRedirect.Interfaces)
 		if err != nil {
 			return nil, err
 		}

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,8 @@ type DNSRedirectConfig struct {`
`13`	`13`	`ListenAddr string`
`14`	`14`	`// ListenPort is the port the DNS proxy listens on`
`15`	`15`	`ListenPort uint16`
	`16`	`+ // Interfaces to intercept DNS traffic on`
	`17`	`+ Interfaces []string`
`16`	`18`	`}`
`17`	`19`
`18`	`20`	`// GlobalConfig contains configuration for global (service-level) components.`
`@@ -27,6 +29,7 @@ func GlobalConfigFromAppConfig(cfg *config.Config) GlobalConfig {`
`27`	`29`	`Enabled: cfg.General.IsDNSProxyEnabled(),`
`28`	`30`	`ListenAddr: cfg.General.GetDNSProxyListenAddr(),`
`29`	`31`	`ListenPort: uint16(cfg.General.GetDNSProxyPort()),`
	`32`	`+ Interfaces: cfg.General.GetDNSProxyInterfaces(),`
`30`	`33`	`},`
`31`	`34`	`}`
`32`	`35`	`}`
`@@ -61,7 +64,7 @@ func (b *GlobalComponentBuilder) BuildComponents(cfg GlobalConfig) ([]Networking`
`61`	`64`
`62`	`65`	`// DNS Redirect component (only if DNS proxy is enabled)`
`63`	`66`	`if cfg.DNSRedirect.Enabled {`
`64`		`- dnsRedirect, err := NewDNSRedirectComponent(cfg.DNSRedirect.ListenAddr, cfg.DNSRedirect.ListenPort)`
	`67`	`+ dnsRedirect, err := NewDNSRedirectComponent(cfg.DNSRedirect.ListenAddr, cfg.DNSRedirect.ListenPort, cfg.DNSRedirect.Interfaces)`
`65`	`68`	`if err != nil {`
`66`	`69`	`return nil, err`
`67`	`70`	`}`