based on Release v2026.04.04.040456-af79daf

Author: RamtinAbdi

internal/client/tunnel_runtime.go

@@ -12,6 +12,7 @@
 package client
 
 import (
+	"encoding/binary"
 	"errors"
 	"net"
 	"time"
@@ -24,6 +25,7 @@ const (
 	// RuntimeUDPReadBufferSize defines the maximum size of the UDP read buffer.
 	RuntimeUDPReadBufferSize         = 65535
 	runtimeUDPMaxMismatchedResponses = 64
+	runtimeUDPDrainGrace             = time.Millisecond
 
 	// pooledConnMaxAge is the maximum time a UDP connection can remain idle in
 	// the resolver pool before it is discarded and re-dialed. Stale connections can have their
@@ -37,45 +39,76 @@ type pooledUDPConn struct {
 	pooledAt time.Time
 }
 
+func (c *Client) drainStaleUDPResponses(conn *net.UDPConn, buffer []byte) error {
+	if conn == nil || len(buffer) == 0 {
+		return nil
+	}
+
+	for drained := 0; drained < runtimeUDPMaxMismatchedResponses*2; drained++ {
+		if err := conn.SetReadDeadline(time.Now().Add(runtimeUDPDrainGrace)); err != nil {
+			return err
+		}
+
+		_, err := conn.Read(buffer)
+		if err != nil {
+			if ne, ok := err.(net.Error); ok && ne.Timeout() {
+				return nil
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 // exchangeUDPQueryWithConn sends one UDP packet through the provided connection
 // and waits for a response with a matching DNS transaction ID.
 func (c *Client) exchangeUDPQueryWithConn(conn *net.UDPConn, packet []byte, timeout time.Duration) ([]byte, error) {
 	if len(packet) < 2 {
 		return nil, errors.New("malformed dns query")
 	}
-	expectedID0 := packet[0]
-	expectedID1 := packet[1]
+	expectedID := binary.BigEndian.Uint16(packet[:2])
+
+	buffer := c.getRuntimeUDPBuffer()
+	defer c.putRuntimeUDPBuffer(buffer)
+	defer func() {
+		_ = conn.SetDeadline(time.Time{})
+	}()
+
+	if err := c.drainStaleUDPResponses(conn, buffer); err != nil {
+		return nil, err
+	}
 
-	deadline := time.Now().Add(timeout)
-	if err := conn.SetDeadline(deadline); err != nil {
+	writeDeadline := time.Now().Add(timeout)
+	if err := conn.SetWriteDeadline(writeDeadline); err != nil {
 		return nil, err
 	}
 
 	if _, err := conn.Write(packet); err != nil {
 		return nil, err
 	}
 
-	buffer := c.getRuntimeUDPBuffer()
+	if err := conn.SetReadDeadline(writeDeadline); err != nil {
+		return nil, err
+	}
+
 	mismatchedResponses := 0
 
 	for {
 		n, err := conn.Read(buffer)
 		if err != nil {
-			c.putRuntimeUDPBuffer(buffer)
 			return nil, err
 		}
 
-		if n >= 2 && buffer[0] == expectedID0 && buffer[1] == expectedID1 {
+		if n >= 2 && binary.BigEndian.Uint16(buffer[:2]) == expectedID {
 			// Copy matched response out so the pooled buffer can be recycled.
 			result := make([]byte, n)
 			copy(result, buffer[:n])
-			c.putRuntimeUDPBuffer(buffer)
 			return result, nil
 		}
 
 		mismatchedResponses++
 		if mismatchedResponses >= runtimeUDPMaxMismatchedResponses {
-			c.putRuntimeUDPBuffer(buffer)
 			return nil, errors.New("too many mismatched dns responses on shared udp socket")
 		}
 	}

internal/client/tunnel_runtime_test.go

@@ -8,6 +8,7 @@
 package client
 
 import (
+	"encoding/binary"
 	"net"
 	"strings"
 	"testing"
@@ -93,3 +94,64 @@ func TestExchangeUDPQueryWithConnFailsAfterTooManyMismatches(t *testing.T) {
 
 	<-done
 }
+
+func TestExchangeUDPQueryWithConnDrainsStaleResponsesBeforeSending(t *testing.T) {
+	serverConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	if err != nil {
+		t.Fatalf("ListenUDP server failed: %v", err)
+	}
+	defer serverConn.Close()
+
+	clientConn, err := net.DialUDP("udp", nil, serverConn.LocalAddr().(*net.UDPAddr))
+	if err != nil {
+		t.Fatalf("DialUDP client failed: %v", err)
+	}
+	defer clientConn.Close()
+
+	serverDone := make(chan struct{})
+	go func() {
+		defer close(serverDone)
+		buf := make([]byte, 512)
+
+		n, addr, err := serverConn.ReadFromUDP(buf)
+		if err != nil || n < 2 {
+			return
+		}
+
+		time.Sleep(40 * time.Millisecond)
+		for i := 0; i < runtimeUDPMaxMismatchedResponses+4; i++ {
+			_, _ = serverConn.WriteToUDP([]byte{buf[0], buf[1], 0x81, byte(i)}, addr)
+		}
+
+		n, addr, err = serverConn.ReadFromUDP(buf)
+		if err != nil || n < 2 {
+			return
+		}
+
+		resp := []byte{buf[0], buf[1], 0x81, 0x00}
+		_, _ = serverConn.WriteToUDP(resp, addr)
+	}()
+
+	c := &Client{}
+
+	firstQuery := make([]byte, 4)
+	binary.BigEndian.PutUint16(firstQuery[0:2], 0x1234)
+	_, err = c.exchangeUDPQueryWithConn(clientConn, firstQuery, 10*time.Millisecond)
+	if err == nil {
+		t.Fatal("expected first query to time out before delayed stale responses arrive")
+	}
+
+	time.Sleep(60 * time.Millisecond)
+
+	secondQuery := make([]byte, 4)
+	binary.BigEndian.PutUint16(secondQuery[0:2], 0x5678)
+	resp, err := c.exchangeUDPQueryWithConn(clientConn, secondQuery, 500*time.Millisecond)
+	if err != nil {
+		t.Fatalf("second query failed after stale drain: %v", err)
+	}
+	if len(resp) < 2 || binary.BigEndian.Uint16(resp[0:2]) != 0x5678 {
+		t.Fatalf("unexpected second response: %#v", resp)
+	}
+
+	<-serverDone
+}

internal/dnsparser/parser.go

@@ -321,10 +321,9 @@ func parseName(data []byte, offset int) (string, int, error) {
 	return name.String(), origNext, nil
 }
 
-
 func writeLowerASCIILabel(dst *strings.Builder, label []byte) {
 	upperIndex := -1
-	for i := 0; i < len(label); i++ {
+	for i := range label {
 		if label[i] >= 'A' && label[i] <= 'Z' {
 			upperIndex = i
 			break

internal/dnsparser/response.go

@@ -28,6 +28,18 @@ func BuildEmptyNoErrorResponseFromLite(request []byte, parsed LitePacket) ([]byt
 	return buildResponseWithRCodeLite(request, parsed, Enums.DNSR_CODE_NO_ERROR)
 }
 
+func BuildNoDataResponse(request []byte) ([]byte, error) {
+	parsed, err := ParseDNSRequestLite(request)
+	if err != nil {
+		return nil, err
+	}
+	return BuildNoDataResponseFromLite(request, parsed)
+}
+
+func BuildNoDataResponseFromLite(request []byte, parsed LitePacket) ([]byte, error) {
+	return buildNoDataResponseLite(request, parsed)
+}
+
 func BuildFormatErrorResponse(request []byte) ([]byte, error) {
 	return buildResponseWithRCode(request, Enums.DNSR_CODE_FORMAT_ERROR)
 }
@@ -52,6 +64,27 @@ func BuildNotImplementedResponseFromLite(request []byte, parsed LitePacket) ([]b
 	return buildResponseWithRCodeLite(request, parsed, Enums.DNSR_CODE_NOT_IMPLEMENTED)
 }
 
+const (
+	syntheticNoDataTTL     = 60
+	syntheticNoDataRefresh = 60
+	syntheticNoDataRetry   = 60
+	syntheticNoDataExpire  = 300
+	syntheticNoDataMinimum = 60
+)
+
+var (
+	syntheticSOAMName = []byte{
+		0x02, 'n', 's',
+		0x07, 'i', 'n', 'v', 'a', 'l', 'i', 'd',
+		0x00,
+	}
+	syntheticSOARName = []byte{
+		0x0a, 'h', 'o', 's', 't', 'm', 'a', 's', 't', 'e', 'r',
+		0x07, 'i', 'n', 'v', 'a', 'l', 'i', 'd',
+		0x00,
+	}
+)
+
 func buildResponseWithRCode(request []byte, rcode uint8) ([]byte, error) {
 	if len(request) < dnsHeaderSize {
 		return nil, ErrPacketTooShort
@@ -70,7 +103,6 @@ func buildResponseWithRCode(request []byte, rcode uint8) ([]byte, error) {
 		questionCount = header.QDCount
 	}
 
-
 	optStart, optLen := findOPTRecordRange(request, header, questionEndOffset)
 
 	response := make([]byte, dnsHeaderSize+questionLen+optLen)
@@ -87,7 +119,6 @@ func buildResponseWithRCode(request []byte, rcode uint8) ([]byte, error) {
 		copy(response[dnsHeaderSize+questionLen:], request[optStart:optStart+optLen])
 	}
 
-
 	return response, nil
 }
 
@@ -122,14 +153,83 @@ func buildResponseWithRCodeLite(request []byte, parsed LitePacket, rcode uint8)
 	return response, nil
 }
 
+func buildNoDataResponseLite(request []byte, parsed LitePacket) ([]byte, error) {
+	if len(request) < dnsHeaderSize {
+		return nil, ErrPacketTooShort
+	}
+	if !isLikelyDNSRequestHeader(parsed.Header) {
+		return nil, ErrNotDNSRequest
+	}
+
+	optStart, optLen := findOPTRecordRange(request, parsed.Header, parsed.QuestionEndOffset)
+
+	questionLen := 0
+	if parsed.QuestionEndOffset >= dnsHeaderSize && parsed.QuestionEndOffset <= len(request) {
+		questionLen = parsed.QuestionEndOffset - dnsHeaderSize
+	}
+
+	authority := buildSyntheticSOAAuthority(parsed)
+	response := make([]byte, dnsHeaderSize+questionLen+len(authority)+optLen)
+	binary.BigEndian.PutUint16(response[0:2], parsed.Header.ID)
+	binary.BigEndian.PutUint16(response[2:4], buildResponseFlags(parsed.Header.Flags, Enums.DNSR_CODE_NO_ERROR))
+	binary.BigEndian.PutUint16(response[4:6], parsed.Header.QDCount)
+	if len(authority) > 0 {
+		binary.BigEndian.PutUint16(response[8:10], 1)
+	}
+	binary.BigEndian.PutUint16(response[10:12], uint16(getARCount(optLen)))
+
+	offset := dnsHeaderSize
+	if questionLen > 0 {
+		copy(response[offset:], request[dnsHeaderSize:parsed.QuestionEndOffset])
+		offset += questionLen
+	}
+	if len(authority) > 0 {
+		copy(response[offset:], authority)
+		offset += len(authority)
+	}
+	if optLen > 0 {
+		copy(response[offset:], request[optStart:optStart+optLen])
+	}
+
+	return response, nil
+}
+
+func buildSyntheticSOAAuthority(parsed LitePacket) []byte {
+	owner := []byte{0}
+	if parsed.HasQuestion {
+		// Reuse the first question name via compression pointer to keep the
+		// synthetic authority compact and avoid re-encoding the qname.
+		owner = []byte{0xC0, 0x0C}
+	}
+
+	rdataLen := len(syntheticSOAMName) + len(syntheticSOARName) + 20
+	record := make([]byte, len(owner)+10+rdataLen)
+
+	offset := copy(record, owner)
+	binary.BigEndian.PutUint16(record[offset:offset+2], Enums.DNS_RECORD_TYPE_SOA)
+	binary.BigEndian.PutUint16(record[offset+2:offset+4], Enums.DNSQ_CLASS_IN)
+	binary.BigEndian.PutUint32(record[offset+4:offset+8], syntheticNoDataTTL)
+	binary.BigEndian.PutUint16(record[offset+8:offset+10], uint16(rdataLen))
+	offset += 10
+
+	offset += copy(record[offset:], syntheticSOAMName)
+	offset += copy(record[offset:], syntheticSOARName)
+	binary.BigEndian.PutUint32(record[offset:offset+4], 1)
+	binary.BigEndian.PutUint32(record[offset+4:offset+8], syntheticNoDataRefresh)
+	binary.BigEndian.PutUint32(record[offset+8:offset+12], syntheticNoDataRetry)
+	binary.BigEndian.PutUint32(record[offset+12:offset+16], syntheticNoDataExpire)
+	binary.BigEndian.PutUint32(record[offset+16:offset+20], syntheticNoDataMinimum)
+
+	return record
+}
+
 func getARCount(optLen int) int {
 	if optLen > 0 {
 		return 1
 	}
 	return 0
 }
 
-
 func isLikelyDNSRequestHeader(header Header) bool {
 	if header.QR != 0 {
 		return false
@@ -153,7 +253,29 @@ func isLikelyDNSRequestHeader(header Header) bool {
 }
 
 func buildResponseFlags(requestFlags uint16, rcode uint8) uint16 {
-	return (1 << 15) | (requestFlags & 0x7810) | uint16(rcode&0x0F)
+	const (
+		flagQR     uint16 = 1 << 15
+		flagAA     uint16 = 1 << 10
+		flagTC     uint16 = 1 << 9
+		flagRD     uint16 = 1 << 8
+		flagRA     uint16 = 1 << 7
+		flagCD     uint16 = 1 << 4
+		opcodeMask uint16 = 0x7800
+	)
+
+	flags := flagQR | flagRA | (requestFlags & opcodeMask) | uint16(rcode&0x0F)
+	if requestFlags&flagRD != 0 {
+		flags |= flagRD
+	}
+	if requestFlags&flagCD != 0 {
+		flags |= flagCD
+	}
+
+	// Resolver-generated local answers should look recursive, not authoritative.
+	// AA/TC are intentionally cleared unless we are relaying an upstream answer
+	// verbatim, in which case those bits come from the upstream packet itself.
+	flags &^= flagAA | flagTC
+	return flags
 }
 
 func extractQuestionSection(request []byte, header Header) ([]byte, uint16, int) {
@@ -244,7 +366,6 @@ func findFirstOPTRecordInAdditional(data []byte, offset int, count int) (int, in
 	return 0, 0
 }
 
-
 func skipQuestions(data []byte, offset int, count int) (int, error) {
 	for range count {
 		nextOffset, err := skipName(data, offset)
@@ -345,4 +466,3 @@ func skipName(data []byte, offset int) (int, error) {
 		offset += length + 1
 	}
 }
-