[management,client] Make DNS ForwarderPort Configurable & Change Well Known Port (#4479)

makes the DNS forwarder port configurable in the management and client components, while changing the well-known port from 5454 to 22054. The change includes version-aware port assignment to ensure backward compatibility. - Adds a configurable `ForwarderPort` field to the DNS configuration protocol - Implements version-based port computation that returns the new port (22054) only when all peers support version 0.59.0 or newer - Updates the client to dynamically restart the DNS forwarder when the port changes
2026-04-18 16:26:38 +00:00 · 2025-10-02 06:02:10 +07:00
parent b85045e723
commit 9bcd3ebed4
13 changed files with 416 additions and 199 deletions
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"sync"

 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -11,14 +12,18 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+var (
+	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	listenPort   uint16 = 5353
+	listenPortMu sync.RWMutex
 )

 const (
-	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
-	ListenPort = 5353
-	dnsTTL     = 60 //seconds
+	dnsTTL = 60 //seconds
 )

 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
@@ -35,12 +40,20 @@ type Manager struct {
 	fwRules      []firewall.Rule
 	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
+	port         uint16
 }

-func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
+func ListenPort() uint16 {
+	listenPortMu.RLock()
+	defer listenPortMu.RUnlock()
+	return listenPort
+}
+
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status, port uint16) *Manager {
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
+		port:           port,
 	}
 }

@@ -54,7 +67,13 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}

-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL, m.firewall, m.statusRecorder)
+	if m.port > 0 {
+		listenPortMu.Lock()
+		listenPort = m.port
+		listenPortMu.Unlock()
+	}
+
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort()), dnsTTL, m.firewall, m.statusRecorder)
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -94,7 +113,7 @@ func (m *Manager) Stop(ctx context.Context) error {
 func (m *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
-		Values:  []uint16{ListenPort},
+		Values:  []uint16{ListenPort()},
 	}

 	if m.firewall == nil {