madeye
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.lock‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 2 deletions b/‎Cargo.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 36 additions & 40 deletions b/‎README.md‎
Lines changed: 36 additions & 40 deletions
diff --git a/‎docs/index.html‎
Lines changed: 28 additions & 21 deletions b/‎docs/index.html‎
Lines changed: 28 additions & 21 deletions
diff --git a/‎scripts/pf_setup.sh‎
Lines changed: 5 additions & 8 deletions b/‎scripts/pf_setup.sh‎
Lines changed: 5 additions & 8 deletions
@@ -1,6 +1,6 @@
 [package]
 name = "trans_proxy"
-version = "0.2.0"
+version = "0.3.0"
 edition = "2021"
 description = "Transparent proxy for macOS pf redirection with upstream HTTP CONNECT proxy support"
 license = "MIT"
@@ -11,7 +11,7 @@ authors = ["Max Lv <max.c.lv@gmail.com>"]
 tokio = { version = "1", features = ["full"] }
 socket2 = "0.5"
 clap = { version = "4", features = ["derive"] }
-tracing = "0.1"
+tracing = { version = "0.1", features = ["max_level_debug", "release_max_level_info"] }
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 anyhow = "1"
 reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] }
 
@@ -18,7 +18,7 @@ Designed to run on a Mac acting as a side router (gateway) for other devices on
 
 - **pf integration** — Uses `DIOCNATLOOK` ioctl on `/dev/pf` to recover original destinations from pf's NAT state table
 - **SNI extraction** — Peeks at TLS ClientHello to extract hostnames, sending proper `CONNECT host:port` instead of raw IPs
-- **DNS interception** — Optional local DNS forwarder that builds an IP→domain lookup table as a fallback for hostname resolution (supports both traditional UDP and DNS-over-HTTPS)
+- **DNS forwarder** — Listens directly on the gateway interface (port 53) for LAN client DNS queries, building an IP→domain lookup table. Supports DNS-over-HTTPS (DoH) and traditional UDP upstream.
 - **Anchor-based pf rules** — Won't clobber your existing firewall config
 - **Daemon mode** — Run as a background process with PID file and log file support
 - **Async I/O** — Built on tokio with per-connection task spawning
@@ -27,7 +27,7 @@ Designed to run on a Mac acting as a side router (gateway) for other devices on
 
 - macOS 12+ (uses pf and `DIOCNATLOOK` ioctl)
 - Rust 1.70+ and Cargo
-- Root privileges (for `/dev/pf` access and pf rule management)
+- Root privileges (for `/dev/pf` access and port 53 binding)
 - An upstream HTTP CONNECT proxy (e.g., Squid, mitmproxy, or any CONNECT-capable proxy)
 
 ## Build
@@ -57,19 +57,18 @@ cargo test
 This example assumes your upstream HTTP proxy runs on `127.0.0.1:1082` and your LAN interface is `en0`.
 
 ```bash
-# Step 1: Start the transparent proxy with DNS interception (DoH by default)
+# Step 1: Start the transparent proxy with DNS on the gateway interface
 sudo ./target/release/trans_proxy \
   --upstream-proxy 127.0.0.1:1082 \
-  --dns-listen 0.0.0.0:5353
+  --dns
 
 # Or run as a daemon
 sudo ./target/release/trans_proxy \
   --upstream-proxy 127.0.0.1:1082 \
-  --dns-listen 0.0.0.0:5353 \
-  -d
+  --dns -d
 
 # Step 2: Set up pf redirection (in another terminal, or same if using -d)
-sudo scripts/pf_setup.sh en0 8443 5353
+sudo scripts/pf_setup.sh en0 8443
 
 # Step 3: Configure client devices (see "Client Setup" below)
 
@@ -86,45 +85,44 @@ sudo kill $(cat /var/run/trans_proxy.pid)
 The proxy requires root to open `/dev/pf` for NAT lookups:
 
 ```bash
-# Minimal — proxy only, no DNS interception
+# Minimal — proxy only, no DNS
 sudo ./target/release/trans_proxy \
   --upstream-proxy <proxy_host>:<proxy_port>
 
-# Full — with DNS interception (uses Cloudflare DoH by default)
+# With DNS on the gateway interface (auto-detects en0 IP, listens on port 53)
 sudo ./target/release/trans_proxy \
   --upstream-proxy <proxy_host>:<proxy_port> \
-  --dns-listen 0.0.0.0:5353
+  --dns
 
-# Use a specific DoH provider
+# Specify a different interface
 sudo ./target/release/trans_proxy \
   --upstream-proxy <proxy_host>:<proxy_port> \
-  --dns-listen 0.0.0.0:5353 \
-  --dns-upstream https://dns.google/dns-query
+  --dns --interface en1
 
-# Use traditional UDP DNS instead of DoH
+# Override DNS listen address manually
 sudo ./target/release/trans_proxy \
   --upstream-proxy <proxy_host>:<proxy_port> \
-  --dns-listen 0.0.0.0:5353 \
-  --dns-upstream 8.8.8.8:53
+  --dns-listen 192.168.1.42:53
 
-# Custom listen address and debug logging
+# Use a specific DoH provider
 sudo ./target/release/trans_proxy \
-  --listen-addr 0.0.0.0:9999 \
-  --upstream-proxy 127.0.0.1:1082 \
-  --dns-listen 0.0.0.0:5353 \
-  --log-level debug
+  --upstream-proxy <proxy_host>:<proxy_port> \
+  --dns --dns-upstream https://dns.google/dns-query
+
+# Use traditional UDP DNS instead of DoH
+sudo ./target/release/trans_proxy \
+  --upstream-proxy <proxy_host>:<proxy_port> \
+  --dns --dns-upstream 8.8.8.8:53
 
 # Run as a background daemon
 sudo ./target/release/trans_proxy \
   --upstream-proxy 127.0.0.1:1082 \
-  --dns-listen 0.0.0.0:5353 \
-  -d
+  --dns -d
 
 # Daemon with custom PID and log file
 sudo ./target/release/trans_proxy \
   --upstream-proxy 127.0.0.1:1082 \
-  --dns-listen 0.0.0.0:5353 \
-  -d --pid-file /tmp/trans_proxy.pid \
+  --dns -d --pid-file /tmp/trans_proxy.pid \
   --log-file /tmp/trans_proxy.log
 ```
 
@@ -135,24 +133,23 @@ sudo ./target/release/trans_proxy \
 | `--listen-addr` | `0.0.0.0:8443` | Address and port the proxy listens on |
 | `--upstream-proxy` | *(required)* | Upstream HTTP CONNECT proxy address (`host:port`) |
 | `--log-level` | `info` | Log verbosity: `trace`, `debug`, `info`, `warn`, `error` |
-| `--dns-listen` | *(disabled)* | Enable DNS forwarder on this address (e.g., `0.0.0.0:5353`) |
+| `--dns` | off | Enable DNS forwarder on the gateway interface (port 53) |
+| `--interface` | `en0` | Network interface for DNS auto-detection (used with `--dns`) |
+| `--dns-listen` | *(auto)* | Override DNS listen address (e.g., `192.168.1.42:53`) |
 | `--dns-upstream` | `https://cloudflare-dns.com/dns-query` | Upstream DNS: `host:port` for UDP, or `https://` URL for DoH |
 | `-d` / `--daemon` | off | Run as a background daemon |
 | `--pid-file` | `/var/run/trans_proxy.pid` | PID file path (used with `--daemon`) |
 | `--log-file` | `/var/log/trans_proxy.log` (daemon) / stderr | Log file path |
 
 ### Setting up pf redirection
 
-The included scripts manage pf rules via an anchor (won't interfere with existing firewall rules):
+The included scripts manage pf rules via an anchor (won't interfere with existing firewall rules).
+DNS no longer needs pf redirection — trans_proxy listens directly on port 53.
 
 ```bash
-# Redirect HTTP/HTTPS only
+# Set up HTTP/HTTPS redirection
 sudo scripts/pf_setup.sh <interface> [proxy_port]
 sudo scripts/pf_setup.sh en0 8443
-
-# Redirect HTTP/HTTPS + DNS
-sudo scripts/pf_setup.sh <interface> [proxy_port] [dns_port]
-sudo scripts/pf_setup.sh en0 8443 5353
 ```
 
 The setup script prints the gateway IP and configuration summary:
@@ -166,7 +163,7 @@ The setup script prints the gateway IP and configuration summary:
 Done.
   Gateway IP:  192.168.1.42 (en0)
   HTTP/HTTPS:  ports 80,443 -> 127.0.0.1:8443
-  DNS:         port 53 -> 127.0.0.1:5353
+  DNS:         use --dns flag to listen on 192.168.1.42:53 directly
 
 Configure client devices to use 192.168.1.42 as their gateway.
 Set DNS server to 192.168.1.42 on client devices.
@@ -189,8 +186,7 @@ Run trans_proxy as a background process:
 # Start as daemon
 sudo ./target/release/trans_proxy \
   --upstream-proxy 127.0.0.1:1082 \
-  --dns-listen 0.0.0.0:5353 \
-  -d
+  --dns -d
 
 # Check status
 cat /var/run/trans_proxy.pid
@@ -211,7 +207,7 @@ In daemon mode:
 On each device you want to route through the proxy:
 
 1. **Set the default gateway** to the Mac's IP address (shown by the setup script)
-2. **Set the DNS server** to the Mac's IP address (if using `--dns-listen`)
+2. **Set the DNS server** to the Mac's IP address (if using `--dns`)
 
 #### macOS / iOS
 Settings → Wi-Fi → (i) → Configure IP → Manual → Router: `<gateway_ip>`, DNS: `<gateway_ip>`
@@ -246,7 +242,7 @@ Settings → Wi-Fi → Long press network → Modify → Advanced → IP setting
 The proxy resolves hostnames for CONNECT requests using a fallback chain:
 
 1. **SNI extraction** — Parses the TLS ClientHello to read the Server Name Indication extension (port 443 only). No TLS termination or certificate generation required.
-2. **DNS table lookup** — If `--dns-listen` is enabled, the built-in DNS forwarder records IP→domain mappings from A record responses. Works for both HTTP (port 80) and HTTPS (port 443).
+2. **DNS table lookup** — If `--dns` is enabled, the built-in DNS forwarder records IP→domain mappings from A record responses. Works for both HTTP (port 80) and HTTPS (port 443).
 3. **Raw IP** — Falls back to the IP address if no hostname can be determined.
 
 ### Why DIOCNATLOOK?
@@ -272,9 +268,9 @@ This is a harmless warning from `pfctl`. macOS doesn't include ALTQ — pf redir
 - Ensure IP forwarding is enabled: `sysctl net.inet.ip.forwarding` (should be `1`)
 
 ### DNS not resolving on client devices
-- Ensure `--dns-listen` is set and the DNS forwarder is running
-- Ensure pf is redirecting port 53: `sudo pfctl -a trans_proxy -s rules`
-- Test: `dig @<gateway_ip> -p 5353 example.com`
+- Ensure `--dns` is set and the DNS forwarder is running
+- Check that trans_proxy logs show `DNS forwarder listening on <ip>:53`
+- Test: `dig @<gateway_ip> example.com`
 
 ## License
 
 
@@ -506,7 +506,7 @@ <h1><code>trans_proxy</code></h1>
           <g>
             <rect x="30" y="180" width="170" height="46" rx="8" fill="#161b22" stroke="#30363d" stroke-width="1.5"/>
             <text x="115" y="203" text-anchor="middle" fill="#8b949e" font-family="'SF Mono', monospace" font-size="12">DNS Forwarder</text>
-            <text x="115" y="218" text-anchor="middle" fill="#8b949e" font-family="'SF Mono', monospace" font-size="10">:5353</text>
+            <text x="115" y="218" text-anchor="middle" fill="#8b949e" font-family="'SF Mono', monospace" font-size="10">:53</text>
           </g>
 
           <!-- ============ STATIC LINES & LABELS ============ -->
@@ -831,8 +831,8 @@ <h3>SNI Extraction</h3>
           <p>Peeks at the TLS ClientHello to extract hostnames, sending proper <code>CONNECT host:port</code> instead of raw IPs. No TLS termination or certificate generation needed.</p>
         </div>
         <div class="feature">
-          <h3>DNS Interception</h3>
-          <p>Optional local DNS forwarder that captures A record responses and builds an IP&rarr;domain lookup table. Supports DNS-over-HTTPS (DoH) and traditional UDP upstream.</p>
+          <h3>DNS Forwarder</h3>
+          <p>Listens directly on the gateway interface (port 53) for LAN client DNS queries. Builds an IP&rarr;domain lookup table. Supports DoH and UDP upstream.</p>
         </div>
         <div class="feature">
           <h3>Safe pf Anchors</h3>
@@ -891,26 +891,22 @@ <h2>Quick Start</h2>
       <div class="steps">
         <div class="step">
           <h3>Start the transparent proxy</h3>
-          <p>Run with DNS interception enabled (uses Cloudflare DoH by default):</p>
-<pre class="code"><span class="comment"># Foreground</span>
+          <p>Run with DNS on the gateway interface (uses Cloudflare DoH by default):</p>
+<pre class="code"><span class="comment"># Foreground (auto-detects en0 IP, listens on port 53)</span>
 <span class="cmd">sudo ./target/release/trans_proxy</span> \
   <span class="flag">--upstream-proxy</span> <span class="value">127.0.0.1:1082</span> \
-  <span class="flag">--dns-listen</span> <span class="value">0.0.0.0:5353</span>
+  <span class="flag">--dns</span>
 
 <span class="comment"># Or as a daemon</span>
 <span class="cmd">sudo ./target/release/trans_proxy</span> \
   <span class="flag">--upstream-proxy</span> <span class="value">127.0.0.1:1082</span> \
-  <span class="flag">--dns-listen</span> <span class="value">0.0.0.0:5353</span> <span class="flag">-d</span></pre>
+  <span class="flag">--dns</span> <span class="flag">-d</span></pre>
         </div>
 
         <div class="step">
           <h3>Set up pf redirection</h3>
-          <p>In another terminal, install the pf rules:</p>
-<pre class="code"><span class="comment"># With DNS redirect (recommended)</span>
-<span class="cmd">sudo scripts/pf_setup.sh</span> <span class="value">en0 8443 5353</span>
-
-<span class="comment"># Without DNS redirect</span>
-<span class="cmd">sudo scripts/pf_setup.sh</span> <span class="value">en0 8443</span></pre>
+          <p>In another terminal, install the pf rules (HTTP/HTTPS only &mdash; DNS is handled directly):</p>
+<pre class="code"><span class="cmd">sudo scripts/pf_setup.sh</span> <span class="value">en0 8443</span></pre>
           <p>The script prints your gateway IP and setup summary.</p>
         </div>
 
@@ -957,10 +953,20 @@ <h2>CLI Reference</h2>
             <td>info</td>
             <td>Log verbosity: trace, debug, info, warn, error</td>
           </tr>
+          <tr>
+            <td><code>--dns</code></td>
+            <td>off</td>
+            <td>Enable DNS forwarder on the gateway interface (port 53)</td>
+          </tr>
+          <tr>
+            <td><code>--interface</code></td>
+            <td>en0</td>
+            <td>Network interface for DNS auto-detection</td>
+          </tr>
           <tr>
             <td><code>--dns-listen</code></td>
-            <td><em>disabled</em></td>
-            <td>Enable DNS forwarder on this address</td>
+            <td><em>auto</em></td>
+            <td>Override DNS listen address (e.g., <code>192.168.1.42:53</code>)</td>
           </tr>
           <tr>
             <td><code>--dns-upstream</code></td>
@@ -986,8 +992,9 @@ <h2>CLI Reference</h2>
       </table>
 
       <h3 style="margin-top: 32px;">pf Scripts</h3>
-<pre class="code"><span class="comment"># Setup: pf_setup.sh &lt;interface&gt; [proxy_port] [dns_port]</span>
-<span class="cmd">sudo scripts/pf_setup.sh</span> <span class="value">en0 8443 5353</span>
+<pre class="code"><span class="comment"># Setup: pf_setup.sh &lt;interface&gt; [proxy_port]</span>
+<span class="comment"># DNS no longer needs pf redirection &mdash; listens on port 53 directly</span>
+<span class="cmd">sudo scripts/pf_setup.sh</span> <span class="value">en0 8443</span>
 
 <span class="comment"># Teardown: flushes anchor rules, disables IP forwarding</span>
 <span class="cmd">sudo scripts/pf_teardown.sh</span></pre>
@@ -1019,7 +1026,7 @@ <h3>1. SNI</h3>
         </div>
         <div class="feature">
           <h3>2. DNS Table</h3>
-          <p>IP&rarr;domain mapping from intercepted DNS responses (via DoH or UDP). Works for HTTP and HTTPS. Requires <code>--dns-listen</code>.</p>
+          <p>IP&rarr;domain mapping from DNS responses (via DoH or UDP). Works for HTTP and HTTPS. Requires <code>--dns</code>.</p>
         </div>
         <div class="feature">
           <h3>3. Raw IP</h3>
@@ -1098,9 +1105,9 @@ <h2>Troubleshooting</h2>
         <details class="faq-item">
           <summary>DNS not resolving on client devices</summary>
           <div class="faq-body">
-            Ensure <code>--dns-listen</code> is set and the DNS forwarder is running.<br>
-            Ensure pf is redirecting port 53: <code>sudo pfctl -a trans_proxy -s rules</code><br>
-            Test directly: <code>dig @&lt;gateway_ip&gt; -p 5353 example.com</code>
+            Ensure <code>--dns</code> is set and the DNS forwarder is running.<br>
+            Check that trans_proxy logs show <code>DNS forwarder listening on &lt;ip&gt;:53</code>.<br>
+            Test directly: <code>dig @&lt;gateway_ip&gt; example.com</code>
           </div>
         </details>
       </div>
 
@@ -1,12 +1,11 @@
 #!/bin/bash
 set -euo pipefail
 
-# Usage: pf_setup.sh <interface> [proxy_port] [dns_port]
-# Example: pf_setup.sh en0 8443 5353
+# Usage: pf_setup.sh <interface> [proxy_port]
+# Example: pf_setup.sh en0 8443
 
-IFACE="${1:?Usage: $0 <interface> [proxy_port] [dns_port]}"
+IFACE="${1:?Usage: $0 <interface> [proxy_port]}"
 PROXY_PORT="${2:-8443}"
-DNS_PORT="${3:-}"
 ANCHOR="trans_proxy"
 
 echo "==> Enabling IP forwarding"
@@ -29,13 +28,11 @@ EOF
     sudo pfctl -a "${ANCHOR}" -f /dev/stdin <<EOF
 # Redirect HTTP and HTTPS traffic arriving on ${IFACE} to transparent proxy
 rdr on ${IFACE} proto tcp from any to any port {80, 443} -> 127.0.0.1 port ${PROXY_PORT}
-$([ -n "${DNS_PORT}" ] && echo "rdr on ${IFACE} proto {tcp, udp} from any to any port 53 -> 127.0.0.1 port ${DNS_PORT}")
 EOF
 else
     echo "    Anchor already exists, updating rules"
     sudo pfctl -a "${ANCHOR}" -f /dev/stdin <<EOF
 rdr on ${IFACE} proto tcp from any to any port {80, 443} -> 127.0.0.1 port ${PROXY_PORT}
-$([ -n "${DNS_PORT}" ] && echo "rdr on ${IFACE} proto {tcp, udp} from any to any port 53 -> 127.0.0.1 port ${DNS_PORT}")
 EOF
 fi
 
@@ -51,8 +48,8 @@ echo ""
 echo "Done."
 echo "  Gateway IP:  ${GATEWAY_IP:-<unknown>} (${IFACE})"
 echo "  HTTP/HTTPS:  ports 80,443 -> 127.0.0.1:${PROXY_PORT}"
-[ -n "${DNS_PORT}" ] && echo "  DNS:         port 53 -> 127.0.0.1:${DNS_PORT}"
+echo "  DNS:         use --dns flag to listen on ${GATEWAY_IP:-<interface-ip>}:53 directly"
 echo ""
 echo "Configure client devices to use ${GATEWAY_IP:-this machine} as their gateway."
-[ -n "${DNS_PORT}" ] && echo "Set DNS server to ${GATEWAY_IP:-this machine} on client devices."
+echo "Set DNS server to ${GATEWAY_IP:-this machine} on client devices."
 echo "Run scripts/pf_teardown.sh to undo."