Skip to content

proxy: add dns64 zero-address prefix validation#499

Open
fakhriaunur wants to merge 1 commit intoAdguardTeam:masterfrom
fakhriaunur:fix/m1-dns64-validation
Open

proxy: add dns64 zero-address prefix validation#499
fakhriaunur wants to merge 1 commit intoAdguardTeam:masterfrom
fakhriaunur:fix/m1-dns64-validation

Conversation

@fakhriaunur
Copy link
Copy Markdown

@fakhriaunur fakhriaunur commented Apr 7, 2026

Summary

Add zero-address validation for DNS64 prefixes in setupDNS64().

When configuring DNS64 prefixes, a prefix with a zero IPv6 address (e.g., ::/96) would be accepted but causes all IPv4 addresses to map to the same IPv6 address, breaking DNS64 functionality. This change adds validation to reject such prefixes with a clear error message.

Changes

  • Add zero-address validation check in setupDNS64() before the IPv6 format check
  • Reject prefixes where pref.Addr() == netip.MustParseAddr("::")
  • Return error message: "prefix at index %d: %q has zero address"
  • Add table-driven test TestSetupDNS64_ZeroAddressPrefix verifying rejection of ::/96

Root Cause

The DNS64 prefix ::/96 (zero address) would cause all IPv4 addresses to map to the same IPv6 address due to how the lower 32 bits are preserved in the mapping. This effectively breaks DNS64 synthesis since every A record would produce an identical AAAA record.

Testing

# Run tests
go test -v -run TestSetupDNS64_ZeroAddressPrefix ./proxy/
# Output: PASS

# Run race detection
go test -race ./proxy/
# Output: PASS (no races detected)

# Run lint
go vet ./proxy/
# Output: PASS

Code Change Statistics

  • Files modified: 2
  • Lines changed: +4 (dns64.go) +17 (test)
  • Test coverage: setupDNS64() 83.3%

Technical Details

The zero-address check is placed before the IPv6 format validation because:

  1. A zero address is technically a valid IPv6 format
  2. But it's semantically invalid for DNS64 purposes
  3. The check uses netip.MustParseAddr("::") for comparison since netip.Addr has no IsZero() method
if pref.Addr() == netip.MustParseAddr("::") {
    return fmt.Errorf("prefix at index %d: %q has zero address", i, pref)
}

Issues

Related to M1 in contrib-cat.md

Checklist

  • Tests pass (go test ./proxy/)
  • No race conditions (go test -race ./proxy/)
  • Lint passes (go vet ./proxy/)
  • Coverage ≥80% for modified functions
  • Error message follows existing pattern
  • Validation placed in correct order (before IPv6 check)

Note: This is a minimal validation fix. The check ensures misconfigured DNS64 prefixes are rejected at setup time rather than causing silent failures during DNS64 synthesis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fakhriaunur