From 267c82f4bdc2f4085f449b888e82f22c724349d2 Mon Sep 17 00:00:00 2001 From: Mathieu Virbel Date: Wed, 11 Feb 2026 18:07:58 -0600 Subject: [PATCH] feat: default DNS to localhost:5353 when proxy is configured When a proxy is set but no --dns flag or config dnsAddr is specified, automatically use localhost:5353 as the DNS bridge target. This ensures DNS queries go through GreyHaven's controlled infrastructure rather than leaking to public resolvers via tun2socks. Also update proxy credential injection to always set credentials (defaulting to "proxy:proxy" when no command name is available), as required by gost's auth flow. --- cmd/greywall/main.go | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/cmd/greywall/main.go b/cmd/greywall/main.go index e2ffc4d..b9b8bc4 100644 --- a/cmd/greywall/main.go +++ b/cmd/greywall/main.go @@ -99,7 +99,7 @@ Configuration file format: rootCmd.Flags().BoolVarP(&monitor, "monitor", "m", false, "Monitor and log sandbox violations") rootCmd.Flags().StringVarP(&settingsPath, "settings", "s", "", "Path to settings file (default: OS config directory)") rootCmd.Flags().StringVar(&proxyURL, "proxy", "", "External SOCKS5 proxy URL (e.g., socks5://localhost:1080)") - rootCmd.Flags().StringVar(&dnsAddr, "dns", "", "DNS server address on host (e.g., localhost:3153)") + rootCmd.Flags().StringVar(&dnsAddr, "dns", "", "DNS server address on host (default: localhost:5353 when proxy is set)") rootCmd.Flags().StringVarP(&cmdString, "c", "c", "", "Run command string directly (like sh -c)") rootCmd.Flags().StringArrayVarP(&exposePorts, "port", "p", nil, "Expose port for inbound connections (can be used multiple times)") rootCmd.Flags().BoolVarP(&showVersion, "version", "v", false, "Show version information") @@ -229,14 +229,31 @@ func runCommand(cmd *cobra.Command, args []string) error { cfg.Network.DnsAddr = dnsAddr } - // Auto-inject command name as SOCKS5 proxy username when no credentials are set. - // This lets the proxy identify which sandboxed command originated the traffic. - if cfg.Network.ProxyURL != "" && cmdName != "" { - if u, err := url.Parse(cfg.Network.ProxyURL); err == nil && u.User == nil { - u.User = url.User(cmdName) + // Default DNS to localhost:5353 when proxy is configured but no DNS address + // is specified. GreyHaven typically runs a DNS server on this port, and using + // a dedicated DNS bridge ensures DNS queries go through controlled infrastructure + // rather than leaking to public resolvers. + if cfg.Network.ProxyURL != "" && cfg.Network.DnsAddr == "" { + cfg.Network.DnsAddr = "localhost:5353" + if debug { + fmt.Fprintf(os.Stderr, "[greywall] Defaulting DNS to localhost:5353 (proxy configured, no --dns specified)\n") + } + } + + // Auto-inject proxy credentials so the proxy can identify the sandboxed command. + // - If a command name is available, use it as the username with "proxy" as password. + // - If no command name, default to "proxy:proxy" (required by gost for auth). + // This always overrides any existing credentials in the URL. + if cfg.Network.ProxyURL != "" { + if u, err := url.Parse(cfg.Network.ProxyURL); err == nil { + proxyUser := "proxy" + if cmdName != "" { + proxyUser = cmdName + } + u.User = url.UserPassword(proxyUser, "proxy") cfg.Network.ProxyURL = u.String() if debug { - fmt.Fprintf(os.Stderr, "[greywall] Auto-set proxy username to %q\n", cmdName) + fmt.Fprintf(os.Stderr, "[greywall] Auto-set proxy credentials to %q:proxy\n", proxyUser) } } }