Skip to content

(feat) DNS Authority#236

Open
mattv8 wants to merge 716 commits into
fosrl:devfrom
mattv8:dns-authority
Open

(feat) DNS Authority#236
mattv8 wants to merge 716 commits into
fosrl:devfrom
mattv8:dns-authority

Conversation

@mattv8

@mattv8 mattv8 commented Feb 17, 2026

Copy link
Copy Markdown

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This adds DNS Authority and Auth Proxy capabilities to Newt. The companion Pangolin PR is fosrl/pangolin#2490. More context is in the discussion.

What this does

DNS Authority (dns/authority.go): An authoritative DNS server built on miekg/dns. Listens on port 53 (UDP + TCP), serves A/NS/SOA records for zones pushed from Pangolin. Supports three routing policies:

  • Failover: returns only the highest-priority healthy target
  • Round-robin: rotates through healthy targets
  • Priority: returns all healthy targets

Zones are held in memory and fully repopulated on each Newt reconnect. Wildcard matching is supported (*.example.com matches any subdomain). If no healthy targets exist, falls back to returning all targets (best effort). The server performs a pre-flight port 53 bind check with clear error messages (systemd-resolved, dnsmasq, etc.) and a self-test query after startup.

Auth Proxy (auth/auth.go): An HTTP reverse proxy that enforces SSO at the edge. Uses a hybrid validation model: first tries local JWT verification using an RSA public key fetched from Pangolin (sub-ms latency), then falls back to calling Pangolin's /auth/session/validate API. Supports per-resource SSO toggle, access blocking, email whitelist, and injects X-Auth-User / X-Auth-User-ID headers for the backend.

WebSocket handlers (in main.go): Handles newt/dns/authority/config and newt/auth/proxy/config messages from Pangolin with actions: start, stop, update, remove. Reports DNS server status back to Pangolin via newt/dns/status.

Configuration

Flag / Env Var Default Description
--dns-bind / DNS_BIND_ADDR 0.0.0.0 Bind address for the DNS server
--disable-dns-authority / DISABLE_DNS_AUTHORITY false Disable the DNS server entirely
NEWT_AUTH_PROXY_BIND :80 Bind address for the auth proxy

Backward compatibility

DNS Authority and Auth Proxy only activate when Pangolin pushes configuration. If Pangolin doesn't have the feature enabled, Newt behaves exactly as before. The --disable-dns-authority flag lets operators explicitly opt out even if the server-side is enabled.

Port 53 notes

Port 53 requires root on Linux. If systemd-resolved is occupying port 53, either disable it (sudo systemctl disable --now systemd-resolved) or bind Newt to a specific IP via --dns-bind.

New dependencies

How to test?

Option 1: Full local test stack

There's a complete end-to-end test stack in mattv8/pangolin-testing. It spins up a PostgreSQL, Pangolin, Gerbil, two Newt instances, two backends, and a test client on a Docker bridge network.

git clone https://github.com/mattv8/pangolin-testing testing
cd testing/
sudo modprobe wireguard
docker compose down -v && docker compose up -d
docker compose ps
bash scripts/bootstrap.sh

Verify:

dig @localhost -p 5353 app.test.dev A +short      # → 172.28.0.10
dig @localhost -p 5354 app.test.dev A +short      # → 172.28.0.10
dig @localhost -p 5353 anything.test.dev A +short  # → 172.28.0.10 (wildcard)

Failover:

docker compose stop backend
dig @localhost -p 5353 app.test.dev A +short       # → secondary IP
docker compose start backend

Auth proxy:

curl -sI http://localhost:8080/ | grep Location    # → 302 redirect to login

See the testing README for the architecture diagram and all available test commands.

Option 2: Drop-in to an existing stack

sudo cp /usr/local/bin/newt /usr/local/bin/newt.official
curl -fsSL https://raw.githubusercontent.com/mattv8/pangolin-testing/main/scripts/get-newt.sh | bash
sudo systemctl restart newt
sudo journalctl -u newt -f   # watch for DNS Authority log lines

Rollback:

sudo cp /usr/local/bin/newt.official /usr/local/bin/newt && sudo systemctl restart newt

You'll also need the companion Pangolin build (see the Pangolin PR) to actually push zone configs.

See it in action

Run this command and watch it rotate between my public IP's (please don't DOS me):

for i in $(seq 1 20); do echo "$(date +%H:%M:%S)  $(dig @ns1.postportal.dev.visnovsky.us +short +time=2 +tries=1 postportal.dev.visnovsky.us A | head -1)"; sleep 0.5; done

@mattv8 mattv8 changed the title DNS Authority (feat) DNS Authority Feb 17, 2026
@mattv8 mattv8 force-pushed the dns-authority branch 2 times, most recently from 6dff3f8 to a0bb51f Compare February 18, 2026 23:39
@mattv8

mattv8 commented Feb 20, 2026

Copy link
Copy Markdown
Author

@oschwartz10612 When you get a chance, would love if you took a look

@oschwartz10612

oschwartz10612 commented Feb 23, 2026 via email

Copy link
Copy Markdown
Member

@mattv8

mattv8 commented Feb 24, 2026

Copy link
Copy Markdown
Author

Of course-- take your time and I realize this is a lot. See also the Pangolin side of things at fosrl/pangolin#2490 which also has a bit more information.

marcschaeferger and others added 22 commits March 7, 2026 10:07
Updated CI/CD workflow to improve AWS role handling and image tagging.
Add parseTargetString() for listenPort:host:targetPort using net.SplitHostPort/JoinHostPort. Replace manual split in updateTargets; fix err shadowing on remove. Validate listen port 1–65535 and reject empty host/port; use %w for errors. Add tests for IPv4, IPv6, hostnames, and invalid cases.
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.2 to 0.35.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@97e0b38...57a97c7)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@c94ce9f...b45d80f)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.19.2 to 7.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@10e90e3...d08e5c3)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
  - Always install to /usr/local/bin instead of ~/.local/bin
  - Use sudo automatically when write access is needed
  - Replace bash-specific syntax with POSIX equivalents:
    - Change shebang from #!/bin/bash to #!/bin/sh
    - Replace [[ == *pattern* ]] with case statements
    - Replace echo -e with printf for colored output
  - Script now works with dash, ash, busybox sh, and bash
To aid us in debugging user issues with memory or leaks we need to be able for the user to configure pprof, wait and then provide us the output files to see where memory/leaks occur in actual runtimes
dependabot Bot and others added 16 commits June 4, 2026 17:53
Bumps golang.zx2c4.com/wireguard/windows from 0.5.3 to 1.0.1.

---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
  dependency-version: 1.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@4d04d5d...d7f5e7f)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](actions/stale@b5d41d4...eb5cf3a)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-version: 10.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.1.0 to 7.2.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@bcafcac...f9f3042)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 7.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
…-actions/configure-aws-credentials-6.1.1

chore(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1
…te-log-and-reliable-ping-dead-code

fix: remove duplicate wrong error log in socket/fetch and dead code in reliablePing
…ions/stale-10.3.0

chore(deps): bump actions/stale from 10.2.0 to 10.3.0
…zx2c4.com/wireguard/windows-1.0.1

chore(deps): bump golang.zx2c4.com/wireguard/windows from 0.5.3 to 1.0.1
…ker/build-push-action-7.2.0

chore(deps): bump docker/build-push-action from 7.1.0 to 7.2.0
…ker/setup-buildx-action-4.1.0

chore(deps): bump docker/setup-buildx-action from 4.0.0 to 4.1.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants