dnsx/alg: consistent hash domain -> alg-ip

Some apps cache dns answers beyond the stipulated TTLs (ex: GMaps, Instagram)
end up connecting to alg-ips whose alg-ip -> real-ip mapping might have been
lost to a tunnel reset (as mappings are ephemeral). This then results in those
apps errorenously reporting a loss of connectivity.

By using a hash to map domain names to alg ips, mappings can be "ressurrected"
across tunnel resets, collisions notwithstanding.

Author: ignoramous

intra/dnscrypt/proxy.go

@@ -509,10 +509,10 @@ func NewProxy() *Proxy {
 	return &Proxy{
 		routes:                       nil,
 		registeredServers:            make(map[string]RegisteredServer),
-		certRefreshDelay:             time.Duration(240) * time.Minute,
-		certRefreshDelayAfterFailure: time.Duration(10 * time.Second),
+		certRefreshDelay:             240 * time.Minute,
+		certRefreshDelayAfterFailure: 10 * time.Second,
 		certIgnoreTimestamp:          false,
-		timeout:                      time.Duration(20000) * time.Millisecond,
+		timeout:                      20000 * time.Millisecond,
 		serversInfo:                  NewServersInfo(),
 		liveServers:                  nil,
 		lastStatus:                   dnsx.Start,

intra/dnsx/alg.go

@@ -9,6 +9,7 @@ package dnsx
 import (
 	"encoding/binary"
 	"errors"
+	"hash/fnv"
 	"net/netip"
 	"strconv"
 	"strings"
@@ -29,7 +30,7 @@ const (
 	key4        = ":a"
 	key6        = ":aaaa"
 	NoTransport = "NoTransport"
-	maxiter     = 1000 // max number alg/nat evict iterations
+	maxiter     = 100 // max number alg/nat evict iterations
 )
 
 var (
@@ -105,6 +106,7 @@ type dnsgateway struct {
 	rdns         RdnsResolver        // local and remote rdns blocks
 	octets       []uint8             // ip4 octets, 100.x.y.z
 	hexes        []uint16            // ip6 hex, 64:ff9b:1:da19:0100.x.y.z
+	chash        bool                // use consistent hashing to generae alg ips
 }
 
 // NewDNSGateway returns a DNS ALG, ready for use.
@@ -120,6 +122,7 @@ func NewDNSGateway(inner Transport, outer RdnsResolver) (t *dnsgateway) {
 		rdns:   outer,
 		octets: rfc6598,
 		hexes:  rfc8215a,
+		chash:  true,
 	}
 	// initial transport must be set before starting the gateway
 	t.withTransport(inner)
@@ -493,6 +496,7 @@ func (t *dnsgateway) registerMultiLocked(q string, am *ansMulti) bool {
 	return true
 }
 
+// register mapping from qname -> algip+realip (alg) and algip -> qname+realip (nat)
 func (t *dnsgateway) registerNatLocked(q string, idx int, x *ans) bool {
 	ip := x.algip
 	var k string
@@ -508,6 +512,7 @@ func (t *dnsgateway) registerNatLocked(q string, idx int, x *ans) bool {
 	return true
 }
 
+// register mapping from realip -> algip+qname (px)
 func (t *dnsgateway) registerPxLocked(q string, idx int, x *ans) bool {
 	ip := x.realip[idx]
 	t.px[*ip] = x
@@ -528,6 +533,20 @@ func (t *dnsgateway) take4Locked(q string, idx int) (*netip.Addr, bool) {
 		}
 	}
 
+	if t.chash {
+		for i := 0; i < maxiter; i++ {
+			genip := gen4Locked(k, i)
+			if !genip.IsGlobalUnicast() {
+				continue
+			}
+			if _, taken := t.nat[genip]; !taken {
+				return &genip, genip.IsValid()
+			}
+		}
+		log.W("alg: gen: no more IP4s (%v)", q)
+		return nil, false
+	}
+
 	gen := true
 	// 100.x.y.z: 4m+ ip4s
 	if z := t.octets[3]; z < 254 {
@@ -566,6 +585,20 @@ func (t *dnsgateway) take4Locked(q string, idx int) (*netip.Addr, bool) {
 	return nil, false
 }
 
+func gen4Locked(k string, hop int) netip.Addr {
+	s := strconv.Itoa(hop) + k
+	v18 := hash18(s)
+	// 100.64.y.z/14 2m+ ip4s
+	b4 := [4]byte{
+		rfc6598[0],                     // 100
+		rfc6598[1] | uint8(v18>>16)<<6, // 64 | msb 2 bits
+		uint8((v18 >> 8) & 0xff),       // extract next 8 bits
+		uint8(v18 & 0xff),              // extract last 8 bits
+	}
+
+	return netip.AddrFrom4(b4).Unmap()
+}
+
 func (t *dnsgateway) take6Locked(q string, idx int) (*netip.Addr, bool) {
 	k := q + key6 + strconv.Itoa(idx)
 	if ans, ok := t.alg[k]; ok {
@@ -580,6 +613,17 @@ func (t *dnsgateway) take6Locked(q string, idx int) (*netip.Addr, bool) {
 		}
 	}
 
+	if t.chash {
+		for i := 0; i < maxiter; i++ {
+			genip := gen6Locked(k, i)
+			if _, taken := t.nat[genip]; !taken {
+				return &genip, genip.IsValid()
+			}
+		}
+		log.W("alg: gen: no more IP6s (%v)", q)
+		return nil, false
+	}
+
 	gen := true
 	// 64:ff9b:1:da19:0100.x.y.z: 281 trillion ip6s
 	if z := t.hexes[7]; z < 65534 {
@@ -610,6 +654,28 @@ func (t *dnsgateway) take6Locked(q string, idx int) (*netip.Addr, bool) {
 	return nil, false
 }
 
+func gen6Locked(k string, hop int) netip.Addr {
+	s := strconv.Itoa(hop) + k
+	v48 := hash48(s)
+	// 64:ff9b:1:da19:0100.x.y.z: 281 trillion ip6s
+	a16 := [8]uint16{
+		rfc8215a[0],                  // 64
+		rfc8215a[1],                  // ff9b
+		rfc8215a[2],                  // 1
+		rfc8215a[3],                  // da19
+		rfc8215a[4],                  // 0100
+		uint16((v48 >> 32) & 0xffff), // extract the top 16 bits
+		uint16((v48 >> 16) & 0xffff), // extract the mid 16 bits
+		uint16(v48 & 0xffff),         // extract the last 16 bits
+	}
+	b16 := [16]byte{}
+	for i, hx := range a16 {
+		i = i * 2
+		binary.BigEndian.PutUint16(b16[i:i+2], hx)
+	}
+	return netip.AddrFrom16(b16)
+}
+
 // Implements Gateway
 func (t *dnsgateway) withTransport(inner Transport) bool {
 	if inner == nil {
@@ -748,3 +814,19 @@ func (t *dnsgateway) rdnsbl(algip *netip.Addr) (bcsv string) {
 	}
 	return
 }
+
+// xor fold fnv to 18 bits: www.isthe.com/chongo/tech/comp/fnv
+func hash18(s string) uint32 {
+	h := fnv.New64a()
+	h.Write([]byte(s))
+	v64 := h.Sum64()
+	return (uint32(v64>>18) ^ uint32(v64)) & 0x3FFFF // 18 bits
+}
+
+// xor fold fnv to 48 bits: www.isthe.com/chongo/tech/comp/fnv
+func hash48(s string) uint64 {
+	h := fnv.New64a()
+	h.Write([]byte(s))
+	v64 := h.Sum64()
+	return (uint64(v64>>48) ^ uint64(v64)) & 0xFFFFFFFFFFFF // 48 bits
+}

intra/ipn/socks5.go

@@ -34,7 +34,7 @@ func NewSocks5Proxy(id string, ctl protect.Controller, po *settings.ProxyOptions
 	tx.Dial = protect.MakeNsXDial(ctl)
 
 	// x.net.proxy doesn't yet support udp
-	// https://github.com/golang/net/blob/62affa334/internal/socks/socks.go#L233
+	// github.com/golang/net/blob/62affa334/internal/socks/socks.go#L233
 	// if po.Auth.User and po.Auth.Password are empty strings, the upstream
 	// socks5 server may throw err when dialing with golang/net/x/proxy;
 	// although, txthinking/socks5 deals gracefully with empty auth strings