Add TCP listener for DNS resolver (#5113) (#5133)

Author: pronebird

nym-vpn-core/CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add TCP listener for local DNS resolver (https://github.com/nymtech/nym-vpn-client/pull/5113)
+
 ### Changed
 
 - [macOS] Use endpoint-security framework directly instead of parsing eslogger output (https://github.com/nymtech/nym-vpn-client/pull/4749)

nym-vpn-core/crates/nym-vpn-lib/Cargo.toml

@@ -142,13 +142,13 @@ nym-routing.workspace = true
 nym-dns.workspace = true
 nym-firewall.workspace = true
 nym-firewall-config.workspace = true
-socket2.workspace = true
 windows = { workspace = true, features = ["Win32_NetworkManagement_Ndis"] }
 winreg.workspace = true
 
 # Desktop-specific dependencies
 [target.'cfg(any(target_os = "linux", target_os = "macos", target_os = "windows"))'.dependencies]
 hickory-server = { workspace = true, features = ["resolver"] }
+socket2.workspace = true
 nym-routing.workspace = true
 nym-dns.workspace = true
 nym-cgroup.workspace = true

nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs

@@ -16,17 +16,23 @@
 mod unix;
 
 #[cfg(any(target_os = "macos", target_os = "linux"))]
-pub(crate) use unix::{flush_system_cache, new_random_socket};
+pub(crate) use unix::flush_system_cache;
 
 #[cfg(windows)]
 mod windows;
 
 #[cfg(windows)]
-pub(crate) use windows::{flush_system_cache, new_random_socket};
+pub(crate) use windows::flush_system_cache;
 
 #[cfg(test)]
 mod tests;
 
+mod tcp;
+use tcp::new_tcp_listener;
+
+mod udp;
+use udp::new_random_socket;
+
 use async_trait::async_trait;
 use hickory_server::{
     ServerFuture,
@@ -55,7 +61,7 @@ use std::{
     time::{Duration, Instant},
 };
 use tokio::{
-    net::UdpSocket,
+    net::{TcpListener, UdpSocket},
     sync::{Mutex, mpsc, oneshot},
 };
 use tokio_util::{either::Either, sync::CancellationToken};
@@ -111,6 +117,10 @@ const TTL_SECONDS: u32 = 3;
 /// belongs to the documentation range so should never be reachable.
 const RESOLVED_ADDR: Ipv4Addr = Ipv4Addr::new(198, 51, 100, 1);
 
+/// Timeout for TCP client connections.
+/// Any client that does not send any DNS requests within the given timeout will be dropped.
+pub const TCP_CLIENT_TIMEOUT: Duration = Duration::from_secs(60);
+
 /// Resolver errors
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
@@ -370,16 +380,27 @@ impl LocalResolver {
     ) -> Result<(ResolverHandle, tokio::task::JoinHandle<()>), Error> {
         let (tx, rx) = mpsc::unbounded_channel();
 
-        let (resolver_socket, loopback_alias) =
+        let (udp_socket, loopback_alias) =
             new_random_socket(DNS_LISTEN_PORT, use_random_loopback).await?;
-        let resolver_addr = resolver_socket.local_addr().map_err(Error::GetSocketAddr)?;
+        let resolver_addr = udp_socket.local_addr().map_err(Error::GetSocketAddr)?;
 
-        let mut server = Self::new_server(resolver_socket, tx.clone()).await?;
+        // Attempt to bind TCP listener to the same port as UDP, but don't fail if it's not possible.
+        let tcp_listener = new_tcp_listener(resolver_addr)
+            .inspect_err(|_err| {
+                tracing::warn!("Failed to bind TCP socket to {resolver_addr}");
+            })
+            .ok();
+        let is_tcp_available = tcp_listener.is_some();
+
+        let mut server = Self::new_server(udp_socket, tcp_listener, tx.clone()).await?;
 
         let cloned_shutdown_token = shutdown_token.child_token();
         let cloned_tx = tx.clone();
         let dns_server_task = tokio::spawn(async move {
-            tracing::info!("Running DNS resolver on {resolver_addr}");
+            tracing::info!(
+                "Running DNS resolver on {resolver_addr} ({})",
+                if is_tcp_available { "udp, tcp" } else { "udp" }
+            );
 
             loop {
                 tokio::select! {
@@ -405,15 +426,19 @@ impl LocalResolver {
                                 tracing::error!("DNS server unexpectedly stopped: {err}");
                                 tracing::debug!("Attempting to restart server");
 
-                                let socket = match UdpSocket::bind(resolver_addr).await {
+                                let udp_socket = match UdpSocket::bind(resolver_addr).await {
                                     Ok(socket) => socket,
                                     Err(e) => {
-                                        tracing::error!("Failed to bind DNS server to {resolver_addr}: {e}");
+                                        tracing::error!("Failed to bind UDP socket to {resolver_addr}: {e}");
                                         break;
                                     }
                                 };
 
-                                match Self::new_server(socket, cloned_tx.clone()).await {
+                                let tcp_listener = TcpListener::bind(resolver_addr).await.inspect_err(|err| {
+                                    tracing::warn!("Failed to bind TCP socket to {resolver_addr}: {err}");
+                                }).ok();
+
+                                match Self::new_server(udp_socket, tcp_listener, cloned_tx.clone()).await {
                                     Ok(new_server) => {
                                         server = new_server;
                                     }
@@ -452,10 +477,14 @@ impl LocalResolver {
 
     async fn new_server(
         server_socket: UdpSocket,
+        tcp_listener: Option<TcpListener>,
         tx: mpsc::UnboundedSender<ResolverMessage>,
     ) -> Result<ServerFuture<ResolverImpl>, Error> {
         let mut server = ServerFuture::new(ResolverImpl { tx });
         server.register_socket(server_socket);
+        if let Some(tcp_listener) = tcp_listener {
+            server.register_listener(tcp_listener, TCP_CLIENT_TIMEOUT);
+        }
         Ok(server)
     }
 

nym-vpn-core/crates/nym-vpn-lib/src/resolver/tcp.rs

@@ -0,0 +1,42 @@
+// Copyright 2026 Nym Technologies SA <contact@nymtech.net>
+// SPDX-License-Identifier: GPL-3.0-only
+
+use std::net::SocketAddr;
+
+use socket2::{Domain, Protocol, SockAddr, Socket, Type};
+use tokio::net::TcpListener;
+
+const DEFAULT_BACKLOG: i32 = 128;
+
+pub fn new_tcp_listener(socket_addr: SocketAddr) -> std::io::Result<TcpListener> {
+    let domain = Domain::for_address(socket_addr);
+    let socket = Socket::new(domain, Type::STREAM, Some(Protocol::TCP)).inspect_err(|err| {
+        tracing::warn!("Failed to open TCP socket: {err}");
+    })?;
+
+    // SO_NONBLOCK is required for turning this into a tokio socket.
+    socket.set_nonblocking(true).inspect_err(|err| {
+        tracing::warn!("Failed to set TCP socket as nonblocking: {err}");
+    })?;
+
+    // SO_REUSEADDR allows us to bind to `127.x.y.z` even if another socket is bound to `0.0.0.0`.
+    // Best-effort: allow binding even if wildcard is in use. Windows semantics differ but
+    // this is harmless.
+    socket.set_reuse_address(true).inspect_err(|err| {
+        tracing::warn!("Failed to set SO_REUSEADDR on TCP socket: {err}");
+    })?;
+
+    let sa = SockAddr::from(socket_addr);
+    socket.bind(&sa).inspect_err(|err| {
+        tracing::warn!("Failed to bind TCP socket to {socket_addr}: {err}");
+    })?;
+
+    socket.listen(DEFAULT_BACKLOG).inspect_err(|err| {
+        tracing::warn!("Failed to listen TCP socket: {err}");
+    })?;
+
+    let tcp_listener =
+        TcpListener::from_std(std::net::TcpListener::from(socket)).expect("socket is non-blocking");
+
+    Ok(tcp_listener)
+}

nym-vpn-core/crates/nym-vpn-lib/src/resolver/udp.rs

@@ -0,0 +1,67 @@
+// Copyright 2026 Nym Technologies SA <contact@nymtech.net>
+// SPDX-License-Identifier: GPL-3.0-only
+
+use std::net::{IpAddr, Ipv4Addr};
+
+use socket2::{Domain, Protocol, SockAddr, Socket, Type};
+use tokio::net::UdpSocket;
+
+#[cfg(unix)]
+use crate::resolver::unix::RandomLoopbackAlias;
+#[cfg(windows)]
+use crate::resolver::windows::RandomLoopbackAlias;
+use crate::resolver::{BoxedLoopbackAlias, Error, LoopbackAlias};
+
+pub async fn new_random_socket(
+    port: u16,
+    use_random_loopback: bool,
+) -> Result<(UdpSocket, Option<BoxedLoopbackAlias>), Error> {
+    for attempt in 0.. {
+        let (ip, alias): (IpAddr, Option<BoxedLoopbackAlias>) = match attempt {
+            ..3 if !use_random_loopback => continue,
+            ..3 => match RandomLoopbackAlias::assign().await {
+                Ok(random) => (random.addr(), Some(Box::new(random) as BoxedLoopbackAlias)),
+                Err(_) => continue,
+            },
+            3 => (IpAddr::from(Ipv4Addr::LOCALHOST), None),
+            4.. => break,
+        };
+
+        let sock = match Socket::new(Domain::IPV4, Type::DGRAM, Some(Protocol::UDP)) {
+            Ok(sock) => sock,
+            Err(err) => {
+                tracing::error!("Failed to open IPv4/UDP socket: {err}");
+                continue;
+            }
+        };
+
+        // SO_NONBLOCK is required for turning this into a tokio socket.
+        if let Err(err) = sock.set_nonblocking(true) {
+            tracing::warn!("Failed to set UDP socket as nonblocking: {err}");
+            continue;
+        }
+
+        // SO_REUSEADDR enables us to bind to `127.x.y.z` even if another socket is bound to `0.0.0.0`.
+        // Best-effort: allow binding even if wildcard is in use. Windows semantics differ but
+        // this is harmless.
+        if let Err(err) = sock.set_reuse_address(true) {
+            tracing::warn!("Failed to set SO_REUSEADDR on UDP socket: {err}");
+        }
+
+        let sa = SockAddr::from(std::net::SocketAddr::new(ip, port));
+        if let Err(err) = sock.bind(&sa) {
+            tracing::warn!("Failed to bind UDP socket to {ip}: {err}");
+            // Ensure we clean up the alias before retrying.
+            if let Some(alias) = alias {
+                alias.unassign().await;
+            }
+            continue;
+        }
+
+        let socket =
+            UdpSocket::from_std(std::net::UdpSocket::from(sock)).expect("socket is non-blocking");
+        return Ok((socket, alias));
+    }
+
+    Err(Error::UdpBind)
+}

nym-vpn-core/crates/nym-vpn-lib/src/resolver/unix.rs

@@ -2,29 +2,28 @@
 // Copyright 2025 Nym Technologies SA <contact@nymtech.net>
 // SPDX-License-Identifier: GPL-3.0-only
 
-use crate::resolver::{BoxedLoopbackAlias, Error, LoopbackAlias, random_loopback_ipv4};
+use std::{io, net::IpAddr};
+
 use async_trait::async_trait;
-use std::{
-    io,
-    net::{IpAddr, Ipv4Addr},
-};
-use tokio::{net::UdpSocket, task::JoinHandle};
+use tokio::task::JoinHandle;
 use tokio_util::sync::{CancellationToken, DropGuard};
 
+use crate::resolver::{LoopbackAlias, random_loopback_ipv4};
+
 /// Loopback interface name.
 #[cfg(target_os = "macos")]
 const LOOPBACK: &str = "lo0";
 #[cfg(target_os = "linux")]
 const LOOPBACK: &str = "lo";
 
-struct RandomLoopbackAlias {
+pub struct RandomLoopbackAlias {
     addr: IpAddr,
     drop_guard: DropGuard,
     unassign_task: JoinHandle<()>,
 }
 
 impl RandomLoopbackAlias {
-    async fn assign() -> io::Result<Self> {
+    pub async fn assign() -> io::Result<Self> {
         let addr = random_loopback_ipv4();
 
         assign_loopback_alias(addr).await.inspect_err(|e| {
@@ -136,74 +135,6 @@ impl LoopbackAlias for RandomLoopbackAlias {
     }
 }
 
-pub(crate) async fn new_random_socket(
-    port: u16,
-    use_random_loopback: bool,
-) -> Result<(UdpSocket, Option<BoxedLoopbackAlias>), Error> {
-    use nix::{
-        fcntl,
-        sys::socket::{self, AddressFamily, SockFlag, SockProtocol, SockType, SockaddrStorage},
-    };
-    use std::os::fd::AsRawFd;
-
-    for attempt in 0.. {
-        let (socket_addr, on_drop): (IpAddr, Option<BoxedLoopbackAlias>) = match attempt {
-            ..3 if !use_random_loopback => continue,
-
-            ..3 => match RandomLoopbackAlias::assign().await {
-                Ok(random) => (random.addr(), Some(Box::new(random) as BoxedLoopbackAlias)),
-                Err(_) => continue,
-            },
-
-            3 => (IpAddr::from(Ipv4Addr::LOCALHOST), None),
-
-            4.. => break,
-        };
-
-        let sock = match socket::socket(
-            AddressFamily::Inet,
-            SockType::Datagram,
-            SockFlag::empty(),
-            SockProtocol::Udp,
-        ) {
-            Ok(sock) => sock,
-            Err(error) => {
-                tracing::error!("Failed to open IPv4/UDP socket: {error}");
-                continue;
-            }
-        };
-
-        // SO_NONBLOCK is required for turning this into a tokio socket.
-        if let Err(error) = fcntl::fcntl(&sock, fcntl::F_SETFL(fcntl::OFlag::O_NONBLOCK)) {
-            tracing::warn!("Failed to set socket as nonblocking: {error}");
-            continue;
-        }
-
-        // SO_REUSEADDR allows us to bind to `127.x.y.z` even if another socket is bound to
-        // `0.0.0.0`.
-        if let Err(error) = socket::setsockopt(&sock, socket::sockopt::ReuseAddr, &true) {
-            tracing::warn!("Failed to set SO_REUSEADDR on resolver socket: {error}");
-        }
-
-        let sin = SockaddrStorage::from(std::net::SocketAddr::new(socket_addr, port));
-
-        match socket::bind(sock.as_raw_fd(), &sin) {
-            Ok(()) => {
-                let socket = UdpSocket::from_std(sock.into()).expect("socket is non-blocking");
-                return Ok((socket, on_drop));
-            }
-            Err(err) => {
-                tracing::warn!("Failed to bind DNS server to {socket_addr}: {err}");
-                if let Some(on_drop) = on_drop {
-                    on_drop.unassign().await;
-                }
-            }
-        }
-    }
-
-    Err(Error::UdpBind)
-}
-
 pub(crate) fn flush_system_cache() {
     #[cfg(target_os = "macos")]
     {