dnsx: choose fixed transport internally

ignoramous · ignoramous · commit 26d18101865d · 2026-03-05T18:46:18.000+05:30
Preserve uids for all internally originated dns requests. Choose fixed
transport depending on whether alg translations and split dns are both
turned on and the uid is either invalid or of known android components
that are known to proxy dns requests on app's behalf.
diff --git a/intra/backend/dnsx.go b/intra/backend/dnsx.go
@@ -145,8 +145,8 @@ type RDNSResolver interface {
 	SetRdnsRemote(filetag string) error
 	// GetRdnsRemote returns the remote rdns resolver.
 	GetRdnsRemote() (RDNS, error)
-	// Translate enables or disables ALG/fixed responses
-	Translate(bool)
+	// Translate enables or disables ALG and fixed responses.
+	Translate(alg, fix bool)
 }
 
 type DNSTransportMultProvider interface {
diff --git a/intra/common.go b/intra/common.go
@@ -36,6 +36,7 @@ const (
 	smmchSize           = 256 // some comfortably high number
 	UNKNOWN_UID         = core.UNKNOWN_UID
 	UNKNOWN_UID_STR     = core.UNKNOWN_UID_STR
+	ANDROID_UID_STR     = core.ANDROID_UID_STR
 	SELF_UID            = protect.UidSelf
 	UNSUPPORTED_NETWORK = core.UNSUPPORTED_NETWORK
 )
diff --git a/intra/core/proto.go b/intra/core/proto.go
@@ -15,9 +15,11 @@ import (
 
 // from: github.com/eycorsican/go-tun2socks/blob/301549c435/core/conn.go#LL3C9-L3C9
 
+// ref: cs.android.com/android/platform/superproject/+/android-latest-release:system/core/libcutils/include/private/android_filesystem_config.h;drc=e999f05f34e91a3a313ba7dd77bcf52b58a0841e
 const (
 	UNKNOWN_UID         = -1
 	UNKNOWN_UID_STR     = "-1"
+	ANDROID_UID_STR     = "0"
 	DNS_UID_STR         = "1051"
 	UNSUPPORTED_NETWORK = -1
 )
diff --git a/intra/dialers/dns.go b/intra/dialers/dns.go
@@ -12,6 +12,7 @@ import (
 	"net/url"
 
 	"github.com/celzero/firestack/intra/core"
+	"github.com/celzero/firestack/intra/protect"
 	"github.com/celzero/firestack/intra/xdns"
 	"github.com/miekg/dns"
 )
@@ -70,7 +71,7 @@ func ECH(hostname string) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	res, err := ipm.Lookup(q)
+	res, err := ipm.LocalLookup(q)
 	if err != nil {
 		return nil, err
 	}
@@ -100,7 +101,7 @@ func Query(msg *dns.Msg, tids ...string) (*dns.Msg, error) {
 		return nil, err
 	}
 
-	r, err := ipm.Lookup(q, tids...)
+	r, err := ipm.Lookup(q, protect.UidSelf, tids...)
 	if err != nil {
 		return nil, err
 	}
@@ -120,13 +121,8 @@ func QueryFor(msg *dns.Msg, uid, tid string) (*dns.Msg, error) {
 		return nil, qerr
 	}
 
-	var r []byte
-	var rerr error
-	if uid == core.UNKNOWN_UID_STR {
-		r, rerr = ipm.Lookup(q, tid)
-	} else {
-		r, rerr = ipm.LookupFor(q, uid)
-	}
+	// uid may be core.UNKNOWN_UID_STR
+	r, rerr := ipm.Lookup(q, uid, tid)
 
 	if rerr != nil {
 		return nil, rerr
diff --git a/intra/dns53/dot_test.go b/intra/dns53/dot_test.go
@@ -36,7 +36,11 @@ type fakeResolver struct {
 	*net.Resolver
 }
 
-func (r fakeResolver) Lookup(q []byte, _ ...string) ([]byte, error) {
+func (r fakeResolver) LocalLookup(q []byte) ([]byte, error) {
+	return r.Lookup(q, protect.UidSelf)
+}
+
+func (r fakeResolver) Lookup(q []byte, _ string, _ ...string) ([]byte, error) {
 	// return nil, errors.New("lookup: not implemented")
 	msg := xdns.AsMsg(q)
 	if msg == nil {
@@ -75,7 +79,7 @@ func (r fakeResolver) Lookup(q []byte, _ ...string) ([]byte, error) {
 }
 
 func (r fakeResolver) LookupFor(q []byte, _ string) ([]byte, error) {
-	return r.Lookup(q)
+	return r.LocalLookup(q)
 }
 
 func (r fakeResolver) LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error) {
@@ -119,7 +123,7 @@ var (
 	autoNsOpts = &x.DNSOpts{PIDCSV: x.RpnWin, IPCSV: "", TIDCSV: x.CT + "test0"}
 )
 
-func (*fakeBdg) OnQuery(_, _ *x.Gostr, _ int) *x.DNSOpts                 { return autoNsOpts }
+func (*fakeBdg) OnQuery(_, _, _ *x.Gostr, _ int) *x.DNSOpts              { return autoNsOpts }
 func (*fakeBdg) OnUpstreamAnswer(_ *x.DNSSummary, _ *x.Gostr) *x.DNSOpts { return nil }
 func (*fakeBdg) OnResponse(*x.DNSSummary)                                {}
 func (*fakeBdg) OnDNSAdded(*x.Gostr)                                     {}
@@ -168,12 +172,12 @@ func TestDot(t *testing.T) {
 	natpt := x64.NewNatPt()
 	resolv := dnsx.NewResolver(ctx, "10.111.222.3:53", dtr, bdg, natpt)
 	resolv.Add(tr)
-	r4, _, err := resolv.Lookup(b4)
-	r6, _, err6 := resolv.Lookup(b6)
-	_, _, _ = resolv.Lookup(b24)
-	_, _, _ = resolv.Lookup(b26)
+	r4, _, err := resolv.LocalLookup(b4)
+	r6, _, err6 := resolv.LocalLookup(b6)
+	_, _, _ = resolv.LocalLookup(b24)
+	_, _, _ = resolv.LocalLookup(b26)
 	time.Sleep(1 * time.Second)
-	_, _, _ = resolv.Lookup(b6)
+	_, _, _ = resolv.LocalLookup(b6)
 	if err != nil {
 		// log.Output(2, smm.Str())
 		t.Fatal(err)
@@ -286,8 +290,8 @@ func TestSEProxy(t *testing.T) {
 	b4, _ := q.Pack()
 	b6, _ := q6.Pack()
 
-	r4, _, err := resolv.Lookup(b4)
-	r6, _, err6 := resolv.Lookup(b6)
+	r4, _, err := resolv.LocalLookup(b4)
+	r6, _, err6 := resolv.LocalLookup(b6)
 	if err != nil {
 		// log.Output(2, smm.Str())
 		t.Fatal(err)
@@ -385,7 +389,7 @@ func TestWgReaches(t *testing.T) {
 	}*/
 	ilog.VV("-----------------------DNSX--------------------------")
 	b4, _ := aquery("skysports.com").Pack()
-	r4, _, err := resolv.Lookup(b4) // must use "test0"
+	r4, _, err := resolv.LocalLookup(b4) // must use "test0"
 
 	ilog.D("testwg: %v", win.Router().Stat())
 	time.Sleep(2 * time.Second)
@@ -509,7 +513,7 @@ func TestWinReaches(t *testing.T) {
 	}*/
 	ilog.VV("-----------------------DNSX--------------------------")
 	b4, _ := aquery("skysports.com").Pack()
-	r4, _, err := resolv.Lookup(b4) // must use "test0"
+	r4, _, err := resolv.LocalLookup(b4) // must use "test0"
 
 	ilog.D("%v", propx2.Router().Stat())
 	time.Sleep(2 * time.Second)
diff --git a/intra/dns53/ipmapper.go b/intra/dns53/ipmapper.go
@@ -74,8 +74,13 @@ func str2ip(host string) (netip.Addr, error) {
 }
 
 // Implements IPMapper.
-func (m *ipmapper) Lookup(q []byte, tids ...string) ([]byte, error) {
-	return m.queryAny(q, tids...)
+func (m *ipmapper) LocalLookup(q []byte) ([]byte, error) {
+	return m.Lookup(q, protect.UidSelf)
+}
+
+// Implements IPMapper.
+func (m *ipmapper) Lookup(q []byte, uid string, tids ...string) ([]byte, error) {
+	return m.queryAny2(q, uid, tids...)
 }
 
 // Implements IPMapper.
@@ -150,8 +155,8 @@ func (m *ipmapper) queryIP2(_ context.Context, network, host, uid string, tid ..
 
 	var val4, val6 *core.V[answer, string]
 	if len(tid) > 0 { // always choose one among these tids
-		val4, _ = m.ba.Do(key4(host, tid...), m.lookupon(q4, tid...))
-		val6, _ = m.ba.Do(key6(host, tid...), m.lookupon(q6, tid...))
+		val4, _ = m.ba.Do(key4(host, tid...), m.lookupon(q4, uid, tid...))
+		val6, _ = m.ba.Do(key6(host, tid...), m.lookupon(q6, uid, tid...))
 	} else if uid != core.UNKNOWN_UID_STR { // client code chooses a tid depending on uid & "origin"
 		val4, _ = m.ba.Do(key4(host, uid), m.lookupfor(q4, uid))
 		val6, _ = m.ba.Do(key6(host, uid), m.lookupfor(q6, uid))
@@ -227,7 +232,7 @@ func (m *ipmapper) queryAny2(q []byte, uid string, tids ...string) ([]byte, erro
 
 	var v *core.V[answer, string]
 	if len(tids) > 0 {
-		v, _ = m.ba.Do(key(qname, qtypestr, tids...), m.lookupon(q, tids...))
+		v, _ = m.ba.Do(key(qname, qtypestr, tids...), m.lookupon(q, uid, tids...))
 	} else if uid != core.UNKNOWN_UID_STR {
 		v, _ = m.ba.Do(key(qname, qtypestr, uid), m.lookupfor(q, uid))
 	} else {
@@ -257,10 +262,10 @@ func (m *ipmapper) lookupfor(q []byte, uid string) func() (answer, error) {
 // lookupon always resolves on one of the chosen tids
 // (if empty, it may or may not use dnsx.Default;
 // see: dnsx.transport.go:determineTransport)
-func (m *ipmapper) lookupon(q []byte, tids ...string) func() (answer, error) {
+func (m *ipmapper) lookupon(q []byte, uid string, tids ...string) func() (answer, error) {
 	return func() (answer, error) {
-		a, tid, err := m.r.Lookup(q, tids...)
-		return answer{a, tid, core.UNKNOWN_UID_STR}, err
+		a, tid, err := m.r.LookupFor2(q, uid, tids...)
+		return answer{a, tid, uid}, err
 	}
 }
 
diff --git a/intra/dnscrypt/servers_test.go b/intra/dnscrypt/servers_test.go
@@ -67,7 +67,11 @@ type fakeResolver struct {
 	*net.Resolver
 }
 
-func (r fakeResolver) Lookup([]byte, ...string) ([]byte, error) {
+func (r fakeResolver) LocalLookup([]byte) ([]byte, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (r fakeResolver) Lookup([]byte, string, ...string) ([]byte, error) {
 	return nil, errors.New("not implemented")
 }
 
diff --git a/intra/dnsx/alg.go b/intra/dnsx/alg.go
@@ -90,9 +90,11 @@ type Gateway interface {
 	// given an alg or real ip, retrieve assoc blocklists as csv, if any
 	RDNSBL(maybeAlg netip.Addr) (blocklistcsv string)
 	// translate overwrites ip answers to alg ip & fixed ip answers
-	translate(yes bool)
+	translate(tr, fix bool)
 	// splitTunnel sets per-app split tunneling on/off
 	splitTunnel()
+	// fixedTransport returns true if split tunneling is enforced via dnsx.Fixed
+	fixedTransport() bool
 	// Query using t1 as primary transport and t2 as secondary and preset as pre-determined ip answers
 	q(t1, t2 Transport, preset []netip.Addr, network, uid string, q *dns.Msg, s *x.DNSSummary) (og *dns.Msg, algd *dns.Msg, err error)
 	// onStopped is called when a transport tid is stopped. Gateway invalidates its local caches, if any.
@@ -870,6 +872,7 @@ type dnsgateway struct {
 	// fields below are mutable
 
 	mod   atomic.Bool // modify realip to algip
+	fix   atomic.Bool // enforce split tunneling via dnsx.Fixed
 	split atomic.Bool // per-app split tunneling
 }
 
@@ -898,9 +901,12 @@ func NewDNSGateway(pctx context.Context, fakeaddrs []netip.AddrPort, outer RdnsR
 	return
 }
 
-func (t *dnsgateway) translate(yes bool) {
-	prev := t.mod.Swap(yes)
-	log.I("alg: translate? prev(%t) > now(%t)", prev, yes)
+func (t *dnsgateway) translate(tr, fix bool) {
+	// fixed transport can only be used if translation is on
+	fix = tr && fix
+	prevtr := t.mod.Swap(tr)
+	prevfix := t.fix.Swap(fix)
+	log.I("alg: translate? prevtr(%t) > nowtr(%t); prevfix(%t) > nowfix(%t)", prevtr, tr, prevfix, fix)
 }
 
 func (t *dnsgateway) splitTunnel() {
@@ -911,6 +917,10 @@ func (t *dnsgateway) splitTunnel() {
 	log.I("alg: splitTunnel turned on")
 }
 
+func (t *dnsgateway) fixedTransport() bool {
+	return t.mod.Load() && t.split.Load() && t.fix.Load()
+}
+
 func (t *dnsgateway) onStopped(tid string) {
 	if len(tid) <= 0 {
 		return
@@ -1773,8 +1783,10 @@ func (t *dnsgateway) S() string {
 	sb.WriteString("dnsgateway state:\n")
 	sb.WriteString(" mod: ")
 	sb.WriteString(strconv.FormatBool(t.mod.Load()))
-	sb.WriteString(" / split: ")
+	sb.WriteString(" / cansplit: ")
 	sb.WriteString(strconv.FormatBool(t.split.Load()))
+	sb.WriteString(" / wantsplit: ")
+	sb.WriteString(strconv.FormatBool(t.fixedTransport()))
 	sb.WriteString(" / chash: ")
 	sb.WriteString(strconv.FormatBool(t.chash))
 	sb.WriteString(" / adv: ")
diff --git a/intra/dnsx/rethinkdns.go b/intra/dnsx/rethinkdns.go
@@ -73,11 +73,10 @@ type ResolverSelf interface {
 	// LocalLookup performs resolution on Default and/or Goos DNSes.
 	// To be only used by protect.UidSelf.
 	LocalLookup(q []byte) (a []byte, tid string, err error)
-	// Lookup performs resolution on chosen Transport.
-	// To be only used by protect.UidSelf.
-	Lookup(q []byte, chosen ...string) (a []byte, tid string, err error)
 	// LookupFor performs resolution for uid.
 	LookupFor(q []byte, uid string) (a []byte, tid string, err error)
+	// Lookup performs resolution on chosen Transport.
+	LookupFor2(q []byte, uid string, chosen ...string) (a []byte, tid string, err error)
 }
 
 type RDNS interface {
diff --git a/intra/dnsx/transport.go b/intra/dnsx/transport.go
@@ -285,8 +285,8 @@ func (r *resolver) MDNS() (MDNSTransport, error) {
 	return nil, errNoSuchTransport
 }
 
-func (r *resolver) Translate(b bool) {
-	r.gateway.translate(b)
+func (r *resolver) Translate(tr, fix bool) {
+	r.gateway.translate(tr, fix)
 }
 
 // stopIfExistsLocked stops the transport if it exists,
@@ -467,21 +467,29 @@ func (r *resolver) IsDnsAddr(ipport netip.AddrPort) bool {
 	return r.isDns(ipport)
 }
 
-// Lookup implements ResolverSelf.
-func (r *resolver) Lookup(q []byte, tids ...string) ([]byte, string, error) {
+// LookupFor2 implements ResolverSelf.
+func (r *resolver) LookupFor2(q []byte, uid string, tids ...string) ([]byte, string, error) {
 	if len(q) <= 0 {
 		return nil, NoDNS, errNoQuestion
 	}
 	// if len(tids) == 0, use transport from preferences
-	return r.forward(q, OriginInternal, protect.UidSelf, tids...)
+	return r.forward(q, OriginInternal, uid, tids...)
 }
 
-// LookupForSelf implements ResolverSelf.
+// LookupFor implements ResolverSelf.
 func (r *resolver) LookupFor(q []byte, uid string) ([]byte, string, error) {
 	if len(q) <= 0 {
 		return nil, NoDNS, errNoQuestion
 	}
 
+	// prechose tids preferred & fixed when uid is set to 0, -1, or 1051 (common
+	// android system components that send DNS requests on behalf of actual apps/uids)
+	// to use "fixed" transport to later uncover the actual requesting app/uid during
+	// tcp/udp flows (specifically, with preflow)
+	if (uid == core.UNKNOWN_UID_STR || uid == core.DNS_UID_STR || uid == core.ANDROID_UID_STR) && r.gateway.fixedTransport() {
+		return r.forward(q, OriginInternal, uid, Preferred, Fixed)
+	}
+
 	return r.forward(q, OriginInternal, uid)
 }
 
@@ -495,7 +503,7 @@ func (r *resolver) LocalLookup(q []byte) ([]byte, string, error) {
 	defaultIsSystemDNS := r.isDefaultSystemDNS()
 
 	// including dns64 and/or alg
-	ans, tid, err := r.forward(q, protect.UidSelf, Default)
+	ans, tid, err := r.forward(q, OriginInternal, protect.UidSelf, Default)
 	if !defaultIsSystemDNS || loopingBack {
 		return ans, tid, err
 	} // else: retry with Goos/System, if needed
@@ -735,7 +743,7 @@ func (r *resolver) Serve(proto string, c protect.Conn, uid string) {
 	// if Serve (which is called by common.go:dnsOverride) calls in with a uid
 	// that is not UNKNOWN_UID_STR, then we know that the query is from an app
 	// and we can presume per app split tunnel is working as expected.
-	if len(uid) > 0 && uid != core.UNKNOWN_UID_STR && uid != core.DNS_UID_STR {
+	if len(uid) > 0 && uid != core.ANDROID_UID_STR && uid != core.UNKNOWN_UID_STR && uid != core.DNS_UID_STR {
 		r.gateway.splitTunnel()
 	}
 
diff --git a/intra/ipn/multihost/multihost_test.go b/intra/ipn/multihost/multihost_test.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/celzero/firestack/intra/dialers"
 	ilog "github.com/celzero/firestack/intra/log"
+	"github.com/celzero/firestack/intra/protect"
 	"github.com/celzero/firestack/intra/settings"
 	"github.com/celzero/firestack/intra/xdns"
 	"github.com/miekg/dns"
@@ -24,7 +25,7 @@ type fakeResolver struct {
 	*net.Resolver
 }
 
-func (r fakeResolver) Lookup(q []byte, _ ...string) ([]byte, error) {
+func (r fakeResolver) Lookup(q []byte, _ string, _ ...string) ([]byte, error) {
 	// return nil, errors.New("lookup: not implemented")
 	msg := xdns.AsMsg(q)
 	if msg == nil {
@@ -62,8 +63,12 @@ func (r fakeResolver) Lookup(q []byte, _ ...string) ([]byte, error) {
 	return ans.Pack()
 }
 
+func (r fakeResolver) LocalLookup(q []byte) ([]byte, error) {
+	return r.Lookup(q, protect.UidSelf)
+}
+
 func (r fakeResolver) LookupFor(q []byte, _ string) ([]byte, error) {
-	return r.Lookup(q)
+	return r.Lookup(q, protect.UidSelf)
 }
 
 func (r fakeResolver) LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error) {
diff --git a/intra/ipn/pxclient_test.go b/intra/ipn/pxclient_test.go
@@ -20,7 +20,10 @@ type fakeProxy struct{ id string }
 
 type systemMapper struct{}
 
-func (systemMapper) Lookup(_ []byte, _ ...string) ([]byte, error) {
+func (systemMapper) LocalLookup(_ []byte) ([]byte, error) {
+	return nil, errors.New("wire lookup not supported")
+}
+func (systemMapper) Lookup(_ []byte, _ string, _ ...string) ([]byte, error) {
 	return nil, errors.New("wire lookup not supported")
 }
 func (systemMapper) LookupFor(_ []byte, _ string) ([]byte, error) {
diff --git a/intra/protect/ipmap/ipmap.go b/intra/protect/ipmap/ipmap.go
diff --git a/intra/protect/ipmap/ipmap_test.go b/intra/protect/ipmap/ipmap_test.go

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ const (`
`36`	`36`	`smmchSize = 256 // some comfortably high number`
`37`	`37`	`UNKNOWN_UID = core.UNKNOWN_UID`
`38`	`38`	`UNKNOWN_UID_STR = core.UNKNOWN_UID_STR`
	`39`	`+ ANDROID_UID_STR = core.ANDROID_UID_STR`
`39`	`40`	`SELF_UID = protect.UidSelf`
`40`	`41`	`UNSUPPORTED_NETWORK = core.UNSUPPORTED_NETWORK`
`41`	`42`	`)`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,11 @@ type fakeResolver struct {`
`67`	`67`	`*net.Resolver`
`68`	`68`	`}`
`69`	`69`
`70`		`-func (r fakeResolver) Lookup([]byte, ...string) ([]byte, error) {`
	`70`	`+func (r fakeResolver) LocalLookup([]byte) ([]byte, error) {`
	`71`	`+ return nil, errors.New("not implemented")`
	`72`	`+}`
	`73`	`+`
	`74`	`+func (r fakeResolver) Lookup([]byte, string, ...string) ([]byte, error) {`
`71`	`75`	`return nil, errors.New("not implemented")`
`72`	`76`	`}`
`73`	`77`