feat: add VPN DNS service with dynamic service catalog resolution and CoreDNS integration

Add ServiceDNSRecord type and gateway API endpoint to expose active service domain-to-IP mappings. Implement ListServiceDNSRecords repository method querying services table with proxy_ip resolution using effectiveAccessProxyIP helper. Add vpn-dns microservice built on CoreDNS with periodic sync from backend API. Generate Corefile with configurable upstream DNS servers and hosts plugin for service overrides.
2026-03-18 13:30:34 +01:00
parent 6cf49ff3e0
commit 3e2169f217
11 changed files with 238 additions and 1 deletions
--- a/deploy/.env.example
+++ b/deploy/.env.example
@@ -27,3 +27,7 @@ NEXAVPN_BACKEND_HOST=127.0.0.1
 NEXAVPN_ACCESS_PROXY_IP=172.16.0.120
 NEXAVPN_ACCESS_PROXY_HTTP_ADDR=172.16.0.120:80
 NEXAVPN_ACCESS_PROXY_HTTPS_ADDR=172.16.0.120:443
+NEXAVPN_DNS_SYNC_URL=http://127.0.0.1:8080/api/v1/gateway-agent/dns/services
+NEXAVPN_VPN_DNS_ADDR=:53
+NEXAVPN_VPN_DNS_UPSTREAMS=172.16.0.100,172.16.0.105
+NEXAVPN_CLIENT_DNS_SERVERS=172.16.0.119
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -111,6 +111,19 @@ services:
    volumes:
      - gateway-state:/var/lib/nexavpn

+  vpn-dns:
+    build:
+      context: .
+      dockerfile: vpn-dns/Dockerfile
+    depends_on:
+      - backend
+    network_mode: host
+    environment:
+      GATEWAY_BOOTSTRAP_TOKEN: ${GATEWAY_BOOTSTRAP_TOKEN:-nexavpn-gateway-bootstrap}
+      NEXAVPN_DNS_SYNC_URL: ${NEXAVPN_DNS_SYNC_URL:-http://127.0.0.1:8080/api/v1/gateway-agent/dns/services}
+      NEXAVPN_VPN_DNS_ADDR: ${NEXAVPN_VPN_DNS_ADDR:-:53}
+      NEXAVPN_VPN_DNS_UPSTREAMS: ${NEXAVPN_VPN_DNS_UPSTREAMS:-172.16.0.100,172.16.0.105}
+
 volumes:
  postgres-data:
  gateway-state:
--- a/deploy/scripts/gateway-entrypoint.sh
+++ b/deploy/scripts/gateway-entrypoint.sh
@@ -13,6 +13,7 @@ BOOTSTRAP_URL="${NEXAVPN_GATEWAY_BOOTSTRAP_URL:-http://backend:8080/api/v1/gatew
 SYNC_BASE_URL="${NEXAVPN_GATEWAY_SYNC_URL:-http://backend:8080/api/v1/gateway-agent}"
 GATEWAY_ID_FILE="/var/lib/nexavpn/gateway-id"
 BACKEND_HOST="${NEXAVPN_BACKEND_HOST:-backend}"
+CLIENT_DNS_SERVERS="${NEXAVPN_CLIENT_DNS_SERVERS:-10.20.0.53}"

 if [ -z "${GATEWAY_BOOTSTRAP_TOKEN:-}" ]; then
  echo "GATEWAY_BOOTSTRAP_TOKEN is required."
@@ -36,11 +37,12 @@ fi

 bootstrap_gateway() {
  GATEWAY_PUBLIC_KEY="$(printf '%s' "${NEXAVPN_GATEWAY_PRIVATE_KEY}" | wg pubkey)"
+  DNS_JSON="$(printf '%s' "${CLIENT_DNS_SERVERS}" | jq -R 'split(",") | map(gsub("^\\s+|\\s+$";"")) | map(select(length > 0))')"
  echo "Bootstrapping gateway ${GATEWAY_NAME}"
  BOOTSTRAP_RESPONSE="$(curl -fsSL \
    -H "Content-Type: application/json" \
    -H "X-Gateway-Bootstrap-Token: ${GATEWAY_BOOTSTRAP_TOKEN}" \
-    -d "{\"name\":\"${GATEWAY_NAME}\",\"endpoint\":\"${DEFAULT_GATEWAY_ENDPOINT:-localhost:${GATEWAY_LISTEN_PORT}}\",\"public_key\":\"${GATEWAY_PUBLIC_KEY}\",\"listen_port\":${GATEWAY_LISTEN_PORT},\"vpn_cidr\":\"${DEFAULT_VPN_CIDR:-100.96.0.0/24}\",\"dns_servers\":[\"10.20.0.53\"]}" \
+    -d "{\"name\":\"${GATEWAY_NAME}\",\"endpoint\":\"${DEFAULT_GATEWAY_ENDPOINT:-localhost:${GATEWAY_LISTEN_PORT}}\",\"public_key\":\"${GATEWAY_PUBLIC_KEY}\",\"listen_port\":${GATEWAY_LISTEN_PORT},\"vpn_cidr\":\"${DEFAULT_VPN_CIDR:-100.96.0.0/24}\",\"dns_servers\":${DNS_JSON}}" \
    "${BOOTSTRAP_URL}")"
  NEXAVPN_GATEWAY_ID="$(printf '%s' "${BOOTSTRAP_RESPONSE}" | jq -r '.id')"
  if [ -z "${NEXAVPN_GATEWAY_ID:-}" ] || [ "${NEXAVPN_GATEWAY_ID}" = "null" ]; then
--- a/deploy/vpn-dns/Dockerfile
+++ b/deploy/vpn-dns/Dockerfile
@@ -0,0 +1,11 @@
+FROM golang:1.23-alpine AS builder
+
+WORKDIR /src
+COPY vpn-dns/go.mod ./
+COPY vpn-dns/main.go ./
+RUN go build -o /out/nexavpn-vpn-dns ./main.go
+
+FROM coredns/coredns:1.11.3
+
+COPY --from=builder /out/nexavpn-vpn-dns /usr/local/bin/nexavpn-vpn-dns
+ENTRYPOINT ["/usr/local/bin/nexavpn-vpn-dns"]
--- a/deploy/vpn-dns/go.mod
+++ b/deploy/vpn-dns/go.mod
@@ -0,0 +1,3 @@
+module nexavpn/vpn-dns
+
+go 1.23.0
--- a/deploy/vpn-dns/main.go
+++ b/deploy/vpn-dns/main.go
@@ -0,0 +1,150 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+type dnsResponse struct {
+	Records []dnsRecord `json:"records"`
+}
+
+type dnsRecord struct {
+	Domain   string `json:"domain"`
+	TargetIP string `json:"target_ip"`
+}
+
+func main() {
+	ctx := context.Background()
+
+	if err := os.MkdirAll("/etc/coredns", 0o755); err != nil {
+		log.Fatalf("unable to create coredns config dir: %v", err)
+	}
+
+	if err := writeCorefile(); err != nil {
+		log.Fatalf("unable to write Corefile: %v", err)
+	}
+	if err := refreshOverrides(ctx); err != nil {
+		log.Printf("initial dns override sync failed: %v", err)
+	}
+
+	go func() {
+		ticker := time.NewTicker(15 * time.Second)
+		defer ticker.Stop()
+		for range ticker.C {
+			if err := refreshOverrides(ctx); err != nil {
+				log.Printf("dns override sync failed: %v", err)
+			}
+		}
+	}()
+
+	cmd := exec.Command("/coredns", "-conf", "/etc/coredns/Corefile")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	log.Printf("starting coredns on %s", envOrDefault("NEXAVPN_VPN_DNS_ADDR", ":53"))
+	if err := cmd.Run(); err != nil {
+		log.Fatalf("coredns exited: %v", err)
+	}
+}
+
+func writeCorefile() error {
+	upstreams := parseList(envOrDefault("NEXAVPN_VPN_DNS_UPSTREAMS", "172.16.0.100,172.16.0.105"))
+	if len(upstreams) == 0 {
+		return errors.New("no upstream dns servers configured")
+	}
+
+	corefile := fmt.Sprintf(`%s {
+    errors
+    hosts /etc/coredns/service-overrides.hosts {
+        ttl 30
+        reload 15s
+        fallthrough
+    }
+    forward . %s
+    cache 30
+}
+`, envOrDefault("NEXAVPN_VPN_DNS_ADDR", ":53"), strings.Join(upstreams, " "))
+
+	return os.WriteFile("/etc/coredns/Corefile", []byte(corefile), 0o644)
+}
+
+func refreshOverrides(ctx context.Context) error {
+	syncURL := strings.TrimRight(envOrDefault("NEXAVPN_DNS_SYNC_URL", "http://127.0.0.1:8080/api/v1/gateway-agent/dns/services"), "/")
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, syncURL, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("X-Gateway-Bootstrap-Token", os.Getenv("GATEWAY_BOOTSTRAP_TOKEN"))
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return fmt.Errorf("service dns sync failed with status %s", resp.Status)
+	}
+
+	var payload dnsResponse
+	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+		return err
+	}
+
+	lines := make([]string, 0, len(payload.Records))
+	for _, record := range payload.Records {
+		domain := normalizeDomain(record.Domain)
+		targetIP := strings.TrimSpace(record.TargetIP)
+		if domain == "" || targetIP == "" {
+			continue
+		}
+		lines = append(lines, targetIP+" "+domain)
+	}
+
+	content := strings.Join(lines, "\n")
+	if content != "" {
+		content += "\n"
+	}
+
+	return os.WriteFile(filepath.Clean("/etc/coredns/service-overrides.hosts"), []byte(content), 0o644)
+}
+
+func parseList(raw string) []string {
+	seen := make(map[string]struct{})
+	values := make([]string, 0)
+	for _, part := range strings.Split(raw, ",") {
+		value := strings.TrimSpace(part)
+		if value == "" {
+			continue
+		}
+		if _, ok := seen[value]; ok {
+			continue
+		}
+		seen[value] = struct{}{}
+		values = append(values, value)
+	}
+	return values
+}
+
+func normalizeDomain(value string) string {
+	value = strings.TrimSpace(strings.ToLower(value))
+	value = strings.TrimSuffix(value, ".")
+	return value
+}
+
+func envOrDefault(key string, fallback string) string {
+	if value := strings.TrimSpace(os.Getenv(key)); value != "" {
+		return value
+	}
+	return fallback
+}