Skip to content

Implement FCrDNS and other DNS features #1308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Nov 27, 2025
Merged

Implement FCrDNS and other DNS features #1308

merged 16 commits into from
Nov 27, 2025

Conversation

@btomaev
Copy link
Contributor

@btomaev btomaev commented Nov 23, 2025
edited by Xe
Loading

Ref #431
Replaces #682

This pr introduces DNS-based verification features, primarily FCrDNS (#431), to improve client validation.

Implements a VerifyFCrDNS(ip, *pattern) function for strict and pattern-based FCrDNS validation. Adds caching for both forward and reverse DNS lookups to reduce latency and external queries.

Exposes new functions to the policy engine:

  • verifyFCrDNS(ip)
  • verifyFCrDNS(ip, pattern)
  • reverseDNS(ip)
  • lookupHost(hostname)
  • arpaReverseIP(ip) utility for conversion IP to ARPA reverse notation
  • regexSafe(string) utility for safely using dynamic strings in regex patterns.

DNS cache TTL can be configured via the dns_ttl setting in the policy file (default: 300s).

dns_ttl:
  forward: 600
  reverse: 600

Added policies for Telegram, VK, and Yandex bots with verifyFCrDNS for more reliable validation.

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)
  • All of my commits have verified signatures

@Xe Xe self-requested a review November 23, 2025 16:13
@Xe Xe self-assigned this Nov 23, 2025
Xe
Xe approved these changes Nov 24, 2025
View reviewed changes
Copy link
Contributor

@Xe Xe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is excellent. I love it. Well done.

All this is missing is docs for the CEL functions in the expressions docs, but I'll submit a patch with them.

data/clients/telegram-preview.yaml
expression:
all:
- userAgent.matches("TelegramBot")
- verifyFCrDNS(remoteAddress, "ptr\\.telegram\\.org$")
Copy link
Contributor

@Xe Xe Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love this. So much.

@JasonLovesDoggo
Copy link
Member

JasonLovesDoggo commented Nov 24, 2025

This is the first large PR that i've seen where CI actually passed first try, congrats!! 🥳 🎉🎉

@btomaev
Copy link
Contributor Author

btomaev commented Nov 25, 2025

So, the cache is now stored in the store. I've also slightly refactored DNS methods logic to make it simpler and clearer.
Now, verifyFCrDNS(addr) without specifying a pattern returns true if the IP has no PTR records (but I'm starting to doubt this solution, what do you think?).

@btomaev btomaev force-pushed the feature/dns branch 3 times, most recently from 75316ce to fe2479e Compare November 25, 2025 23:02
Xe
Xe approved these changes Nov 26, 2025
View reviewed changes
docs/docs/CHANGELOG.md
- Add support to simple Valkey/Redis cluster mode
- Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. ([1283](https://github.com/TecharoHQ/anubis/pull/1283))
- Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
- Add Polish locale ([#1292](https://github.com/TecharoHQ/anubis/pull/1309))
Copy link
Contributor

@Xe Xe Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

- Add Polish locale ([#1292](https://github.com/TecharoHQ/anubis/pull/1309))

Xe and others added 7 commits November 25, 2025 23:30
@Xe
Update docs/docs/CHANGELOG.md
872e675 
Signed-off-by: Xe Iaso <[email protected]>
@btomaev
Merge branch 'main' of https://github.com/TecharoHQ/anubis into featu…
9d56738 
…re/dns
@btomaev
Merge branch 'feature/dns' of https://github.com/btomaev/anubis into …
0e4b5a2 
…feature/dns
@btomaev
refactor(dns): simplify FCrDNS logging
8ccb5b8
@btomaev
docs: clarify verifyFCrDNS behavior
418234f 
Add a note to the documentation for `verifyFCrDNS` to clarify that it returns true when no PTR records are found for the given IP address.
@btomaev
fix(dns): Improve FCrDNS error handling and tests
186f535 
The `VerifyFCrDNS` function previously ignored errors returned from reverse DNS lookups. This could lead to incorrect passes when a DNS failure (other than a simple 'not found') occurred. This change ensures that any error from a reverse lookup will cause the FCrDNS check to fail.

The test suite for FCrDNS has been updated to reflect this change. The mock DNS lookups now simulate both 'not found' errors and other generic DNS errors. The test cases have been updated to ensure that the function behaves correctly in both scenarios, resolving a situation where two test cases were effectively duplicates.
@btomaev
docs: Update FCrDNS documentation and spelling
bdf84bd 
Corrected a typo in the `verifyFCrDNS` function documentation.

Additionally, updated the spelling exception list to include new terms and remove redundant entries.
@btomaev btomaev requested a review from Xe November 26, 2025 22:50
@Xe
chore: update spelling
31305be 
Signed-off-by: Xe Iaso <[email protected]>
@Xe Xe merged commit 00fa939 into TecharoHQ:main Nov 27, 2025
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JasonLovesDoggo JasonLovesDoggo JasonLovesDoggo approved these changes

@Xe Xe Awaiting requested review from Xe

Assignees

@Xe Xe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@btomaev @JasonLovesDoggo @Xe