From 6b107f6e0c92ac127aa237eac9961e6cb2d5c76c Mon Sep 17 00:00:00 2001 From: Yevhenii Shcherbina Date: Thu, 5 Feb 2026 19:15:56 +0000 Subject: [PATCH 1/2] chore: minor refactor --- dnsdummy/server.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dnsdummy/server.go b/dnsdummy/server.go index c2beb01..d837b21 100644 --- a/dnsdummy/server.go +++ b/dnsdummy/server.go @@ -12,6 +12,10 @@ const DummyA = "6.6.6.6" // DummyAAAA is the IPv6 address returned for every AAAA record query (documentation prefix). const DummyAAAA = "2001:db8::1" +// DefaultDummyDNSPort is the port the dummy DNS server listens on (high port to avoid CAP_NET_BIND_SERVICE). +// Traffic to port 53 is DNAT'd to this port in the namespace. +const DefaultDummyDNSPort = "5353" + // Server is a minimal DNS server that responds to every query with a dummy A record. // Used inside the network namespace to prevent DNS exfiltration. type Server struct { @@ -89,7 +93,3 @@ func (s *Server) Shutdown() { s.logger.Error("dummy DNS TCP server shutdown failed", "error", err) } } - -// DefaultDummyDNSPort is the port the dummy DNS server listens on (high port to avoid CAP_NET_BIND_SERVICE). -// Traffic to port 53 is DNAT'd to this port in the namespace. -const DefaultDummyDNSPort = "5353" From b70e90508029b81c65b76c3369ad23f3649ccfee Mon Sep 17 00:00:00 2001 From: Yevhenii Shcherbina Date: Thu, 5 Feb 2026 19:54:07 +0000 Subject: [PATCH 2/2] chore: directly rely on use-real-dns flag --- nsjail_manager/child.go | 6 ++++-- nsjail_manager/nsjail/jail.go | 6 ------ nsjail_manager/parent.go | 1 - nsjail_manager/run.go | 2 +- 4 files changed, 5 insertions(+), 10 deletions(-) diff --git a/nsjail_manager/child.go b/nsjail_manager/child.go index 9c5d4d1..d27c10a 100644 --- a/nsjail_manager/child.go +++ b/nsjail_manager/child.go @@ -10,6 +10,7 @@ import ( "time" "github.com/cenkalti/backoff/v5" + "github.com/coder/boundary/config" "github.com/coder/boundary/nsjail_manager/nsjail" "golang.org/x/sys/unix" ) @@ -47,7 +48,7 @@ func waitForInterface(interfaceName string, timeout time.Duration) error { return nil } -func RunChild(logger *slog.Logger, targetCMD []string) error { +func RunChild(logger *slog.Logger, cfg config.AppConfig) error { logger.Info("boundary CHILD process is started") vethNetJail := os.Getenv("VETH_JAIL_NAME") @@ -66,7 +67,7 @@ func RunChild(logger *slog.Logger, targetCMD []string) error { } logger.Info("child networking is successfully configured") - if os.Getenv("USE_REAL_DNS") == "true" { + if cfg.UseRealDNS { logger.Info("using real DNS in namespace (--use-real-dns)") } else { // Run dummy DNS server in namespace and redirect all DNS to it to prevent DNS exfiltration @@ -78,6 +79,7 @@ func RunChild(logger *slog.Logger, targetCMD []string) error { } // Program to run + targetCMD := cfg.TargetCMD bin := targetCMD[0] args := targetCMD[1:] diff --git a/nsjail_manager/nsjail/jail.go b/nsjail_manager/nsjail/jail.go index 6c1ebe6..f73ff74 100644 --- a/nsjail_manager/nsjail/jail.go +++ b/nsjail_manager/nsjail/jail.go @@ -23,7 +23,6 @@ type Config struct { HomeDir string ConfigDir string CACertPath string - UseRealDNS bool } // LinuxJail implements Jailer using Linux network namespaces @@ -34,7 +33,6 @@ type LinuxJail struct { httpProxyPort int configDir string caCertPath string - useRealDNS bool } func NewLinuxJail(config Config) (*LinuxJail, error) { @@ -43,7 +41,6 @@ func NewLinuxJail(config Config) (*LinuxJail, error) { httpProxyPort: config.HttpProxyPort, configDir: config.ConfigDir, caCertPath: config.CACertPath, - useRealDNS: config.UseRealDNS, }, nil } @@ -71,9 +68,6 @@ func (l *LinuxJail) Command(command []string) *exec.Cmd { cmd.Env = getEnvsForTargetProcess(l.configDir, l.caCertPath) cmd.Env = append(cmd.Env, "CHILD=true") cmd.Env = append(cmd.Env, fmt.Sprintf("VETH_JAIL_NAME=%v", l.vethJailName)) - if l.useRealDNS { - cmd.Env = append(cmd.Env, "USE_REAL_DNS=true") - } cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.Stdin = os.Stdin diff --git a/nsjail_manager/parent.go b/nsjail_manager/parent.go index 1cf254e..2583f1b 100644 --- a/nsjail_manager/parent.go +++ b/nsjail_manager/parent.go @@ -58,7 +58,6 @@ func RunParent(ctx context.Context, logger *slog.Logger, config config.AppConfig HomeDir: config.UserInfo.HomeDir, ConfigDir: config.UserInfo.ConfigDir, CACertPath: config.UserInfo.CACertPath(), - UseRealDNS: config.UseRealDNS, }) if err != nil { return fmt.Errorf("failed to create jailer: %v", err) diff --git a/nsjail_manager/run.go b/nsjail_manager/run.go index e38e431..9bde979 100644 --- a/nsjail_manager/run.go +++ b/nsjail_manager/run.go @@ -18,7 +18,7 @@ func isChild() bool { // proxy server, and managing the child process lifecycle. func Run(ctx context.Context, logger *slog.Logger, config config.AppConfig) error { if isChild() { - return RunChild(logger, config.TargetCMD) + return RunChild(logger, config) } return RunParent(ctx, logger, config)