Allow passing public dns into resolve

.github/workflows/cicd.yml

@@ -136,7 +136,7 @@ jobs:
   build-amd:
     name: Build image (linux/amd64)
     needs: [pre-run, prepare]
-    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
+    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]' && needs.prepare.result == 'skipped') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
     runs-on: [self-hosted, linux, x64]
     timeout-minutes: 120
     env:
@@ -269,6 +269,7 @@ jobs:
           context: .
           push: true
           platforms: linux/amd64
+          build-args: VERSION=${{ env.TAG }}
           tags: |
             ${{ env.GHCR_IMAGE }}:amd64-${{ env.TAG }}
             ${{ env.DOCKERHUB_IMAGE }}:amd64-${{ env.TAG }}
@@ -293,7 +294,7 @@ jobs:
   build-arm:
     name: Build image (linux/arm64)
     needs: [pre-run, prepare]
-    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
+    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]' && needs.prepare.result == 'skipped') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
     runs-on: [self-hosted, linux, arm64] # NOTE: ensure label exists on runner
     timeout-minutes: 120
     env:
@@ -393,6 +394,7 @@ jobs:
           context: .
           push: true
           platforms: linux/arm64
+          build-args: VERSION=${{ env.TAG }}
           tags: |
             ${{ env.GHCR_IMAGE }}:arm64-${{ env.TAG }}
             ${{ env.DOCKERHUB_IMAGE }}:arm64-${{ env.TAG }}
@@ -417,7 +419,7 @@ jobs:
   build-armv7:
     name: Build image (linux/arm/v7)
     needs: [pre-run, prepare]
-    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
+    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]' && needs.prepare.result == 'skipped') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
     runs-on: [self-hosted, linux, arm64]
     timeout-minutes: 120
     env:
@@ -509,6 +511,7 @@ jobs:
           context: .
           push: true
           platforms: linux/arm/v7
+          build-args: VERSION=${{ env.TAG }}
           tags: |
             ${{ env.GHCR_IMAGE }}:armv7-${{ env.TAG }}
             ${{ env.DOCKERHUB_IMAGE }}:armv7-${{ env.TAG }}
@@ -887,7 +890,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          make -j 10 go-build-release tag="${TAG}"
+          make -j 10 go-build-release VERSION="${TAG}"
 
       - name: Create GitHub Release (draft)
         uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2

Dockerfile

@@ -17,7 +17,8 @@ RUN go mod download
 COPY . .
 
 # Build the application
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /newt
+ARG VERSION=dev
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.newtVersion=${VERSION}" -o /newt
 
 FROM public.ecr.aws/docker/library/alpine:3.23 AS runner
 

Makefile

@@ -2,6 +2,9 @@
 
 all: local
 
+VERSION ?= dev
+LDFLAGS = -X main.newtVersion=$(VERSION)
+
 local:
 	CGO_ENABLED=0 go build -o ./bin/newt
 
@@ -40,31 +43,31 @@ go-build-release: \
     go-build-release-freebsd-arm64
 
 go-build-release-linux-arm64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/newt_linux_arm64
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_arm64
 
 go-build-release-linux-arm32-v7:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o bin/newt_linux_arm32
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_arm32
 
 go-build-release-linux-arm32-v6:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o bin/newt_linux_arm32v6
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_arm32v6
 
 go-build-release-linux-amd64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/newt_linux_amd64
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_amd64
 
 go-build-release-linux-riscv64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -o bin/newt_linux_riscv64
+	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_riscv64
 
 go-build-release-darwin-arm64:
-	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/newt_darwin_arm64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/newt_darwin_arm64
 
 go-build-release-darwin-amd64:
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/newt_darwin_amd64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_darwin_amd64
 
 go-build-release-windows-amd64:
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/newt_windows_amd64.exe
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_windows_amd64.exe
 
 go-build-release-freebsd-amd64:
-	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o bin/newt_freebsd_amd64
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_freebsd_amd64
 
 go-build-release-freebsd-arm64:
-	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -o bin/newt_freebsd_arm64
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/newt_freebsd_arm64

clients/clients.go

@@ -162,9 +162,8 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string
 		useNativeInterface: useNativeInterface,
 	}
 
-	// Create the holepunch manager with ResolveDomain function
-	// We'll need to pass a domain resolver function
-	service.holePunchManager = holepunch.NewManager(sharedBind, newtId, "newt", key.PublicKey().String())
+	// Create the holepunch manager
+	service.holePunchManager = holepunch.NewManager(sharedBind, newtId, "newt", key.PublicKey().String(), nil)
 
 	// Register websocket handlers
 	wsClient.RegisterHandler("newt/wg/receive-config", service.handleConfig)

holepunch/holepunch.go

@@ -27,16 +27,17 @@ type ExitNode struct {
 
 // Manager handles UDP hole punching operations
 type Manager struct {
-	mu         sync.Mutex
-	running    bool
-	stopChan   chan struct{}
-	sharedBind *bind.SharedBind
-	ID         string
-	token      string
-	publicKey  string
-	clientType string
-	exitNodes  map[string]ExitNode // key is endpoint
-	updateChan chan struct{}       // signals the goroutine to refresh exit nodes
+	mu          sync.Mutex
+	running     bool
+	stopChan    chan struct{}
+	sharedBind  *bind.SharedBind
+	ID          string
+	token       string
+	publicKey   string
+	clientType  string
+	exitNodes   map[string]ExitNode // key is endpoint
+	updateChan  chan struct{}        // signals the goroutine to refresh exit nodes
+	publicDNS []string
 
 	sendHolepunchInterval    time.Duration
 	sendHolepunchIntervalMin time.Duration
@@ -49,12 +50,13 @@ const defaultSendHolepunchIntervalMax = 60 * time.Second
 const defaultSendHolepunchIntervalMin = 1 * time.Second
 
 // NewManager creates a new hole punch manager
-func NewManager(sharedBind *bind.SharedBind, ID string, clientType string, publicKey string) *Manager {
+func NewManager(sharedBind *bind.SharedBind, ID string, clientType string, publicKey string, publicDNS []string) *Manager {
 	return &Manager{
 		sharedBind:               sharedBind,
 		ID:                       ID,
 		clientType:               clientType,
 		publicKey:                publicKey,
+		publicDNS:              publicDNS,
 		exitNodes:                make(map[string]ExitNode),
 		sendHolepunchInterval:    defaultSendHolepunchIntervalMin,
 		sendHolepunchIntervalMin: defaultSendHolepunchIntervalMin,
@@ -281,7 +283,13 @@ func (m *Manager) TriggerHolePunch() error {
 	// Send hole punch to all exit nodes
 	successCount := 0
 	for _, exitNode := range currentExitNodes {
-		host, err := util.ResolveDomain(exitNode.Endpoint)
+		var host string
+		var err error
+		if len(m.publicDNS) > 0 {
+			host, err = util.ResolveDomainUpstream(exitNode.Endpoint, m.publicDNS)
+		} else {
+			host, err = util.ResolveDomain(exitNode.Endpoint)
+		}
 		if err != nil {
 			logger.Warn("Failed to resolve endpoint %s: %v", exitNode.Endpoint, err)
 			continue
@@ -392,7 +400,13 @@ func (m *Manager) runMultipleExitNodes() {
 
 		var resolvedNodes []resolvedExitNode
 		for _, exitNode := range currentExitNodes {
-			host, err := util.ResolveDomain(exitNode.Endpoint)
+			var host string
+			var err error
+			if len(m.publicDNS) > 0 {
+				host, err = util.ResolveDomainUpstream(exitNode.Endpoint, m.publicDNS)
+			} else {
+				host, err = util.ResolveDomain(exitNode.Endpoint)
+			}
 			if err != nil {
 				logger.Warn("Failed to resolve endpoint %s: %v", exitNode.Endpoint, err)
 				continue

holepunch/tester.go

@@ -49,10 +49,11 @@ type cachedAddr struct {
 
 // HolepunchTester monitors holepunch connectivity using magic packets
 type HolepunchTester struct {
-	sharedBind *bind.SharedBind
-	mu         sync.RWMutex
-	running    bool
-	stopChan   chan struct{}
+	sharedBind  *bind.SharedBind
+	publicDNS []string
+	mu          sync.RWMutex
+	running     bool
+	stopChan    chan struct{}
 
 	// Pending requests waiting for responses (key: echo data as string)
 	pendingRequests sync.Map // map[string]*pendingRequest
@@ -84,9 +85,10 @@ type pendingRequest struct {
 }
 
 // NewHolepunchTester creates a new holepunch tester using the given SharedBind
-func NewHolepunchTester(sharedBind *bind.SharedBind) *HolepunchTester {
+func NewHolepunchTester(sharedBind *bind.SharedBind, publicDNS []string) *HolepunchTester {
 	return &HolepunchTester{
 		sharedBind:   sharedBind,
+		publicDNS:  publicDNS,
 		addrCache:    make(map[string]*cachedAddr),
 		addrCacheTTL: 5 * time.Minute, // Cache addresses for 5 minutes
 	}
@@ -169,7 +171,13 @@ func (t *HolepunchTester) resolveEndpoint(endpoint string) (*net.UDPAddr, error)
 	}
 
 	// Resolve the endpoint
-	host, err := util.ResolveDomain(endpoint)
+	var host string
+	var err error
+	if len(t.publicDNS) > 0 {
+		host, err = util.ResolveDomainUpstream(endpoint, t.publicDNS)
+	} else {
+		host, err = util.ResolveDomain(endpoint)
+	}
 	if err != nil {
 		host = endpoint
 	}

util/util.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/binary"
 	"encoding/hex"
@@ -14,6 +15,99 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 )
 
+func ResolveDomainUpstream(domain string, publicDNS []string) (string, error) {
+	// trim whitespace
+	domain = strings.TrimSpace(domain)
+
+	// Remove any protocol prefix if present (do this first, before splitting host/port)
+	domain = strings.TrimPrefix(domain, "http://")
+	domain = strings.TrimPrefix(domain, "https://")
+
+	// if there are any trailing slashes, remove them
+	domain = strings.TrimSuffix(domain, "/")
+
+	// Check if there's a port in the domain
+	host, port, err := net.SplitHostPort(domain)
+	if err != nil {
+		// No port found, use the domain as is
+		host = domain
+		port = ""
+	}
+
+	// Check if host is already an IP address (IPv4 or IPv6)
+	// For IPv6, the host from SplitHostPort will already have brackets stripped
+	// but if there was no port, we need to handle bracketed IPv6 addresses
+	cleanHost := strings.TrimPrefix(strings.TrimSuffix(host, "]"), "[")
+	if ip := net.ParseIP(cleanHost); ip != nil {
+		// It's already an IP address, no need to resolve
+		ipAddr := ip.String()
+		if port != "" {
+			return net.JoinHostPort(ipAddr, port), nil
+		}
+		return ipAddr, nil
+	}
+
+	// Lookup IP addresses using the upstream DNS servers if provided
+	var ips []net.IP
+	if len(publicDNS) > 0 {
+		var lastErr error
+		for _, server := range publicDNS {
+			// Ensure the upstream DNS address has a port
+			dnsAddr := server
+			if _, _, err := net.SplitHostPort(dnsAddr); err != nil {
+				// No port specified, default to 53
+				dnsAddr = net.JoinHostPort(server, "53")
+			}
+
+			resolver := &net.Resolver{
+				PreferGo: true,
+				Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
+					d := net.Dialer{}
+					return d.DialContext(ctx, "udp", dnsAddr)
+				},
+			}
+			ips, lastErr = resolver.LookupIP(context.Background(), "ip", host)
+			if lastErr == nil {
+				break
+			}
+		}
+		if lastErr != nil {
+			return "", fmt.Errorf("DNS lookup failed using all upstream servers: %v", lastErr)
+		}
+	} else {
+		ips, err = net.LookupIP(host)
+		if err != nil {
+			return "", fmt.Errorf("DNS lookup failed: %v", err)
+		}
+	}
+
+	if len(ips) == 0 {
+		return "", fmt.Errorf("no IP addresses found for domain %s", host)
+	}
+
+	// Get the first IPv4 address if available
+	var ipAddr string
+	for _, ip := range ips {
+		if ipv4 := ip.To4(); ipv4 != nil {
+			ipAddr = ipv4.String()
+			break
+		}
+	}
+
+	// If no IPv4 found, use the first IP (might be IPv6)
+	if ipAddr == "" {
+		ipAddr = ips[0].String()
+	}
+
+	// Add port back if it existed
+	if port != "" {
+		ipAddr = net.JoinHostPort(ipAddr, port)
+	}
+
+	return ipAddr, nil
+}
+
+
 func ResolveDomain(domain string) (string, error) {
 	// trim whitespace
 	domain = strings.TrimSpace(domain)