net/dns, wgengine: implement DNS over TCP (#4598)

* net/dns, wgengine: implement DNS over TCP Signed-off-by: Tom DNetto <tom@tailscale.com> * wgengine/netstack: intercept only relevant port/protocols to quad-100 Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-08-11 21:27:31 +00:00 · 2022-05-05 16:42:45 -07:00
parent c4f06ef7be
commit d1d6ab068e
3 changed files with 273 additions and 0 deletions
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -373,6 +373,19 @@ func (ns *Impl) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper) filter.Re
 	if dst := p.Dst.IP(); dst != magicDNSIP && dst != magicDNSIPv6 {
 		return filter.Accept
 	}
+	// Of traffic to the service IP, we only care about UDP 53, and TCP
+	// on port 80 & 53.
+	switch p.IPProto {
+	case ipproto.TCP:
+		if port := p.Dst.Port(); port != 53 && port != 80 {
+			return filter.Accept
+		}
+	case ipproto.UDP:
+		if port := p.Dst.Port(); port != 53 {
+			return filter.Accept
+		}
+	}
+

 	var pn tcpip.NetworkProtocolNumber
 	switch p.IPVersion {
@@ -758,6 +771,11 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 	// block until the TCP handshake is complete.
 	c := gonet.NewTCPConn(&wq, ep)

+	if reqDetails.LocalPort == 53 && (dialIP == magicDNSIP || dialIP == magicDNSIPv6) {
+		go ns.dns.HandleTCPConn(c, netaddr.IPPortFrom(clientRemoteIP, reqDetails.RemotePort))
+		return
+	}
+
 	if ns.lb != nil {
 		if reqDetails.LocalPort == 22 && ns.processSSH() && ns.isLocalIP(dialIP) {
 			if err := ns.lb.HandleSSHConn(c); err != nil {