feat: DNS over TLS resolver

2025-06-10 22:39:54 +00:00 · 2023-08-04 14:03:23 -07:00 · 2023-08-04 14:03:23 -07:00 · 6ad44d183e
commit 6ad44d183e
parent 7c94b072ed
5 changed files with 54 additions and 4 deletions
--- a/app/cmd/server.go
+++ b/app/cmd/server.go
@ -101,10 +101,18 @@ type serverConfigResolverUDP struct {
 	Timeout time.Duration `mapstructure:"timeout"`
 }

+type serverConfigResolverTLS struct {
+	Addr     string        `mapstructure:"addr"`
+	Timeout  time.Duration `mapstructure:"timeout"`
+	SNI      string        `mapstructure:"sni"`
+	Insecure bool          `mapstructure:"insecure"`
+}
+
 type serverConfigResolver struct {
 	Type string                  `mapstructure:"type"`
 	TCP  serverConfigResolverTCP `mapstructure:"tcp"`
 	UDP  serverConfigResolverUDP `mapstructure:"udp"`
+	TLS  serverConfigResolverTLS `mapstructure:"tls"`
 }

 type serverConfigMasqueradeFile struct {
@ -254,6 +262,11 @@ func (c *serverConfig) fillOutboundConfig(hyConfig *server.Config) error {
 			return configError{Field: "resolver.udp.addr", Err: errors.New("empty resolver address")}
 		}
 		ob = outbounds.NewStandardResolverUDP(c.Resolver.UDP.Addr, c.Resolver.UDP.Timeout, ob)
+	case "tls", "tcp-tls":
+		if c.Resolver.TLS.Addr == "" {
+			return configError{Field: "resolver.tls.addr", Err: errors.New("empty resolver address")}
+		}
+		ob = outbounds.NewStandardResolverTLS(c.Resolver.TLS.Addr, c.Resolver.TLS.Timeout, c.Resolver.TLS.SNI, c.Resolver.TLS.Insecure, ob)
 	default:
 		return configError{Field: "resolver.type", Err: errors.New("unsupported resolver type")}
 	}
--- a/app/cmd/server_test.go
+++ b/app/cmd/server_test.go
@ -71,6 +71,12 @@ func TestServerConfig(t *testing.T) {
 				Addr:    "4.6.8.0:53",
 				Timeout: 2 * time.Second,
 			},
+			TLS: serverConfigResolverTLS{
+				Addr:     "dot.yolo.com:8853",
+				Timeout:  10 * time.Second,
+				SNI:      "server1.yolo.net",
+				Insecure: true,
+			},
 		},
 		Masquerade: serverConfigMasquerade{
 			Type: "proxy",
--- a/app/cmd/server_test.yaml
+++ b/app/cmd/server_test.yaml
@ -49,6 +49,11 @@ resolver:
  udp:
    addr: 4.6.8.0:53
    timeout: 2s
+  tls:
+    addr: dot.yolo.com:8853
+    timeout: 10s
+    sni: server1.yolo.net
+    insecure: true

 masquerade:
  type: proxy
--- a/app/server.example.yaml
+++ b/app/server.example.yaml
@ -41,10 +41,12 @@ auth:
  password: some_password

 # resolver:
-#   type: udp
-#   udp:
-#     addr: 8.8.4.4
-#     timeout: 2s
+#   type: tls
+#   tls:
+#     addr: dot.yolo.com:8853
+#     timeout: 10s
+#     sni: server1.yolo.net
+#     insecure: true

 masquerade:
  type: proxy
--- a/extras/outbounds/dns_standard.go
+++ b/extras/outbounds/dns_standard.go
@ -1,6 +1,7 @@
 package outbounds

 import (
+	"crypto/tls"
 	"net"
 	"time"

@ -42,6 +43,21 @@ func NewStandardResolverTCP(addr string, timeout time.Duration, next PluggableOu
 	}
 }

+func NewStandardResolverTLS(addr string, timeout time.Duration, sni string, insecure bool, next PluggableOutbound) PluggableOutbound {
+	return &standardResolver{
+		Addr: addDefaultPortTLS(addr),
+		Client: &dns.Client{
+			Net:     "tcp-tls",
+			Timeout: timeoutOrDefault(timeout),
+			TLSConfig: &tls.Config{
+				ServerName:         sni,
+				InsecureSkipVerify: insecure,
+			},
+		},
+		Next: next,
+	}
+}
+
 // addDefaultPort adds the default DNS port (53) to the address if not present.
 func addDefaultPort(addr string) string {
 	if _, _, err := net.SplitHostPort(addr); err != nil {
@ -50,6 +66,14 @@ func addDefaultPort(addr string) string {
 	return addr
 }

+// addDefaultPortTLS adds the default DNS-over-TLS port (853) to the address if not present.
+func addDefaultPortTLS(addr string) string {
+	if _, _, err := net.SplitHostPort(addr); err != nil {
+		return net.JoinHostPort(addr, "853")
+	}
+	return addr
+}
+
 func timeoutOrDefault(timeout time.Duration) time.Duration {
 	if timeout == 0 {
 		return standardResolverDefaultTimeout