[dns] fix ndots search domain resolution and start DNS proxy in tunnel runtime

The internal DNS server had identical logic in both branches of the ndots
check — it always queried the bare name first, so search domains like
svc.cluster.local never got priority even with ndots:5. Restructure
ServeDNS so that when dotCount < ndots, search domains are tried before
the bare name, matching standard resolver behavior.

Also start the DNS proxy (127.0.0.1:8053) in the `apoxy run` tunnel path,
which was missing compared to `apoxy tunnel run`. Add a configurable
DNSAddr field to TunnelConfig for this.

Author: theRealWardo

api/config/v1alpha1/config_types.go

@@ -133,6 +133,10 @@ type TunnelConfig struct {
 	// Only use for development/testing.
 	// +optional
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+	// DNSAddr is the address to listen on for the internal DNS proxy.
+	// Defaults to "127.0.0.1:8053". Set to empty string to disable.
+	// +optional
+	DNSAddr string `json:"dnsAddr,omitempty"`
 }
 
 // TunnelMode is the mode of the tunnel.

pkg/cmd/run/tunnel.go

@@ -35,6 +35,7 @@ import (
 	corev1alpha "github.com/apoxy-dev/apoxy/api/core/v1alpha"
 	"github.com/apoxy-dev/apoxy/client/versioned"
 	"github.com/apoxy-dev/apoxy/pkg/log"
+	"github.com/apoxy-dev/apoxy/pkg/net/dns"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel/endpointselect"
 )
@@ -68,6 +69,9 @@ func resolveTunnelConfig(in *configv1alpha1.TunnelConfig) *configv1alpha1.Tunnel
 	if out.SocksPort == nil {
 		out.SocksPort = ptr.To(1080)
 	}
+	if out.DNSAddr == "" {
+		out.DNSAddr = "127.0.0.1:8053"
+	}
 	return out
 }
 
@@ -482,6 +486,19 @@ func runTunnel(ctx context.Context, cfg *configv1alpha1.Config, tc *configv1alph
 		return mgr.Start(gctx)
 	})
 
+	// Start internal DNS proxy so search domain expansion works.
+	if tc.DNSAddr != "" {
+		dnsAddr := tc.DNSAddr
+		g.Go(func() error {
+			slog.Info("Starting DNS proxy", slog.String("address", dnsAddr))
+			if err := dns.ListenAndServe(dnsAddr); err != nil {
+				slog.Error("DNS server failed", slog.Any("error", err))
+				return fmt.Errorf("dns server: %w", err)
+			}
+			return nil
+		})
+	}
+
 	// Start the router — each pod independently connects to the tunnel server.
 	g.Go(func() error {
 		if err := r.Start(gctx); err != nil {

pkg/net/dns/upstream.go

@@ -18,10 +18,15 @@ import (
 	"github.com/apoxy-dev/apoxy/pkg/log"
 )
 
-const (
+var (
 	upstreamPort = 53
 )
 
+// setUpstreamPort overrides the upstream port (for testing).
+func setUpstreamPort(port int) {
+	upstreamPort = port
+}
+
 // upstream is a plugin that sends queries to a random upstream.
 type upstream struct {
 	Next              plugin.Handler
@@ -49,29 +54,43 @@ func (u *upstream) ServeDNS(ctx context.Context, w mdns.ResponseWriter, r *mdns.
 		return u.Next.ServeDNS(ctx, w, r)
 	}
 
-	// Try the original query first
-	response, rcode, err := u.queryUpstream(r)
-	if err != nil {
-		return rcode, err
-	}
+	var response *mdns.Msg
 
-	// Apply search domain logic based on ndots and search domains
 	if len(u.SearchDomains) > 0 && len(r.Question) > 0 {
 		originalName := r.Question[0].Name
 		dotCount := u.countDots(originalName)
 
-		// Determine search strategy based on ndots
 		if dotCount < u.Ndots {
-			// Try search domains first, then original name if all fail
-			if response.Rcode == mdns.RcodeNameError {
-				response = u.trySearchDomains(r, originalName, response)
+			// Few dots: try search domains first, bare name as fallback.
+			response = u.trySearchDomains(r, originalName, nil)
+			if response == nil {
+				var rcode int
+				var err error
+				response, rcode, err = u.queryUpstream(r)
+				if err != nil {
+					return rcode, err
+				}
 			}
 		} else {
-			// Try original name first (already done), then search domains if it failed
+			// Enough dots: try bare name first, search domains as fallback.
+			var rcode int
+			var err error
+			response, rcode, err = u.queryUpstream(r)
+			if err != nil {
+				return rcode, err
+			}
 			if response.Rcode == mdns.RcodeNameError {
 				response = u.trySearchDomains(r, originalName, response)
 			}
 		}
+	} else {
+		// No search domains: query upstream directly.
+		var rcode int
+		var err error
+		response, rcode, err = u.queryUpstream(r)
+		if err != nil {
+			return rcode, err
+		}
 	}
 
 	// Block responses referencing non-global unicast IPs if enabled
@@ -127,6 +146,8 @@ func (u *upstream) countDots(name string) int {
 }
 
 // trySearchDomains attempts to resolve a name using configured search domains.
+// fallbackResponse may be nil when called before any upstream query (ndots path).
+// Returns nil if no search domain succeeded and fallbackResponse was nil.
 func (u *upstream) trySearchDomains(originalQuery *mdns.Msg, originalName string, fallbackResponse *mdns.Msg) *mdns.Msg {
 	for _, domain := range u.SearchDomains {
 		// Create a new query with the search domain appended
@@ -154,7 +175,7 @@ func (u *upstream) trySearchDomains(originalQuery *mdns.Msg, originalName string
 			return searchResponse
 		}
 	}
-	// If no search domain worked, return the original response
+	// If no search domain worked, return the fallback (may be nil).
 	return fallbackResponse
 }
 

pkg/net/dns/upstream_test.go

@@ -0,0 +1,255 @@
+package dns
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"sync"
+	"testing"
+
+	mdns "github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// queryLog records the FQDNs queried in order.
+type queryLog struct {
+	mu      sync.Mutex
+	queries []string
+}
+
+func (l *queryLog) append(name string) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	l.queries = append(l.queries, name)
+}
+
+func (l *queryLog) list() []string {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	out := make([]string, len(l.queries))
+	copy(out, l.queries)
+	return out
+}
+
+// fakeUpstreamServer starts a local DNS server that answers queries based on
+// a set of known names. Unknown names get NXDOMAIN.
+type fakeUpstreamServer struct {
+	addr     string
+	known    map[string]string // FQDN -> IP answer (A record)
+	log      *queryLog
+	server   *mdns.Server
+	udpConn  net.PacketConn
+}
+
+func newFakeUpstream(t *testing.T, known map[string]string, log *queryLog) *fakeUpstreamServer {
+	t.Helper()
+	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	f := &fakeUpstreamServer{
+		addr:    pc.LocalAddr().String(),
+		known:   known,
+		log:     log,
+		udpConn: pc,
+	}
+	mux := mdns.NewServeMux()
+	mux.HandleFunc(".", f.handler)
+	f.server = &mdns.Server{
+		PacketConn: pc,
+		Handler:    mux,
+	}
+	go func() { _ = f.server.ActivateAndServe() }()
+	return f
+}
+
+func (f *fakeUpstreamServer) handler(w mdns.ResponseWriter, r *mdns.Msg) {
+	q := r.Question[0]
+	f.log.append(q.Name)
+
+	resp := new(mdns.Msg)
+	resp.SetReply(r)
+
+	if ip, ok := f.known[q.Name]; ok && q.Qtype == mdns.TypeA {
+		resp.Answer = append(resp.Answer, &mdns.A{
+			Hdr: mdns.RR_Header{
+				Name:   q.Name,
+				Rrtype: mdns.TypeA,
+				Class:  mdns.ClassINET,
+				Ttl:    60,
+			},
+			A: net.ParseIP(ip),
+		})
+	} else {
+		resp.Rcode = mdns.RcodeNameError
+	}
+	w.WriteMsg(resp)
+}
+
+func (f *fakeUpstreamServer) close() {
+	f.server.Shutdown()
+	f.udpConn.Close()
+}
+
+// upstreamPort returns just the port number so we can override the upstream
+// client to hit it.
+func (f *fakeUpstreamServer) port() string {
+	_, port, _ := net.SplitHostPort(f.addr)
+	return port
+}
+
+// serveDNSHelper builds an upstream, sends a query, and returns the response.
+func serveDNSHelper(t *testing.T, u *upstream, name string, qtype uint16) *mdns.Msg {
+	t.Helper()
+	r := new(mdns.Msg)
+	r.SetQuestion(mdns.Fqdn(name), qtype)
+
+	rec := &dnsRecorder{}
+	_, err := u.ServeDNS(context.Background(), rec, r)
+	require.NoError(t, err)
+	require.NotNil(t, rec.msg, "expected a DNS response")
+	return rec.msg
+}
+
+// dnsRecorder captures the response written via WriteMsg.
+type dnsRecorder struct {
+	msg *mdns.Msg
+}
+
+func (r *dnsRecorder) WriteMsg(m *mdns.Msg) error { r.msg = m; return nil }
+func (r *dnsRecorder) LocalAddr() net.Addr         { return nil }
+func (r *dnsRecorder) RemoteAddr() net.Addr         { return nil }
+func (r *dnsRecorder) Write([]byte) (int, error)    { return 0, fmt.Errorf("not implemented") }
+func (r *dnsRecorder) Close() error                 { return nil }
+func (r *dnsRecorder) TsigStatus() error            { return nil }
+func (r *dnsRecorder) TsigTimersOnly(bool)          {}
+func (r *dnsRecorder) Hijack()                      {}
+
+func TestServeDNS_NdotsSearchDomainPriority(t *testing.T) {
+	tests := []struct {
+		name           string
+		queryName      string // domain to query
+		ndots          int
+		searchDomains  []string
+		knownNames     map[string]string // FQDN->IP that the fake upstream knows
+		wantRcode      int
+		wantAnswer     string // expected IP in answer, "" if NXDOMAIN expected
+		wantFirstQuery string // first FQDN the upstream should have received
+	}{
+		{
+			name:          "dotCount < ndots: search domains tried first",
+			queryName:     "apache.default",
+			ndots:         5,
+			searchDomains: []string{"svc.cluster.local", "cluster.local"},
+			knownNames: map[string]string{
+				"apache.default.svc.cluster.local.": "10.0.0.1",
+			},
+			wantRcode:      mdns.RcodeSuccess,
+			wantAnswer:     "10.0.0.1",
+			wantFirstQuery: "apache.default.svc.cluster.local.",
+		},
+		{
+			name:          "dotCount >= ndots: bare name tried first",
+			queryName:     "api.example.com",
+			ndots:         2,
+			searchDomains: []string{"svc.cluster.local"},
+			knownNames: map[string]string{
+				"api.example.com.": "1.2.3.4",
+			},
+			wantRcode:      mdns.RcodeSuccess,
+			wantAnswer:     "1.2.3.4",
+			wantFirstQuery: "api.example.com.",
+		},
+		{
+			name:          "dotCount >= ndots: bare fails, falls back to search domain",
+			queryName:     "api.example.com",
+			ndots:         2,
+			searchDomains: []string{"svc.cluster.local"},
+			knownNames: map[string]string{
+				"api.example.com.svc.cluster.local.": "10.0.0.2",
+			},
+			wantRcode:      mdns.RcodeSuccess,
+			wantAnswer:     "10.0.0.2",
+			wantFirstQuery: "api.example.com.",
+		},
+		{
+			name:          "no search domains: direct upstream query",
+			queryName:     "apache.default",
+			ndots:         5,
+			searchDomains: nil,
+			knownNames: map[string]string{
+				"apache.default.": "10.0.0.3",
+			},
+			wantRcode:      mdns.RcodeSuccess,
+			wantAnswer:     "10.0.0.3",
+			wantFirstQuery: "apache.default.",
+		},
+		{
+			name:          "dotCount < ndots: all search domains fail, falls back to bare name",
+			queryName:     "myservice.ns",
+			ndots:         5,
+			searchDomains: []string{"svc.cluster.local", "cluster.local"},
+			knownNames: map[string]string{
+				"myservice.ns.": "10.0.0.4",
+			},
+			wantRcode:      mdns.RcodeSuccess,
+			wantAnswer:     "10.0.0.4",
+			wantFirstQuery: "myservice.ns.svc.cluster.local.",
+		},
+		{
+			name:          "dotCount < ndots: everything fails returns NXDOMAIN",
+			queryName:     "nonexistent.svc",
+			ndots:         5,
+			searchDomains: []string{"svc.cluster.local"},
+			knownNames:    map[string]string{},
+			wantRcode:     mdns.RcodeNameError,
+			wantAnswer:    "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			log := &queryLog{}
+			fake := newFakeUpstream(t, tt.knownNames, log)
+			defer fake.close()
+
+			host, port, err := net.SplitHostPort(fake.addr)
+			require.NoError(t, err)
+
+			u := &upstream{
+				Upstreams:     []string{host},
+				SearchDomains: tt.searchDomains,
+				Ndots:         tt.ndots,
+			}
+			// Override the upstream port for testing.
+			origPort := upstreamPort
+			defer func() { setUpstreamPort(origPort) }()
+			setUpstreamPort(mustAtoi(port))
+
+			resp := serveDNSHelper(t, u, tt.queryName, mdns.TypeA)
+
+			assert.Equal(t, tt.wantRcode, resp.Rcode, "unexpected rcode")
+
+			if tt.wantAnswer != "" {
+				require.Len(t, resp.Answer, 1, "expected one answer")
+				a, ok := resp.Answer[0].(*mdns.A)
+				require.True(t, ok)
+				assert.Equal(t, tt.wantAnswer, a.A.String())
+			}
+
+			if tt.wantFirstQuery != "" {
+				queries := log.list()
+				require.NotEmpty(t, queries, "expected at least one upstream query")
+				assert.Equal(t, tt.wantFirstQuery, queries[0], "first query mismatch")
+			}
+		})
+	}
+}
+
+func mustAtoi(s string) int {
+	n := 0
+	for _, c := range s {
+		n = n*10 + int(c-'0')
+	}
+	return n
+}