feat!: replace DNS overlay with in-process DNS server (#13)

The old DNS system wrote per-device `/etc/hosts` files and bind-mounted
them into every namespace thread. Lab-wide `dns_entry()` calls rewrote
all files on every mutation, and hickory-resolver could miss late
entries because it reads `/etc/hosts` at construction time.

This replaces it with an in-process DNS server on the IX bridge. Records
live in a `std::sync::RwLock<HashMap>` and are served over UDP via
hickory-proto on both v4 and v6. All mutations are synchronous and
visible to queries before `set_host()` returns.

Per-device `/etc/hosts` overlays are kept for device-local isolation via
`Device::set_host()`. `Device::resolve()` is now async, using
`tokio::net::lookup_host` on the device's async worker so it does not
block the runtime under link impairment. DNS names are normalized to
FQDN internally, so both `"relay.test"` and `"relay.test."` work.

### Breaking changes

- `Lab::dns_entry()` removed — use `lab.dns_server()?.set_host()`
instead.
- `Lab::set_nameserver()` removed — calling `dns_server()` auto-sets
`resolv.conf`.
- `Device::dns_entry()` renamed to `Device::set_host()`.
- `Device::resolve()` is now async.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Frando

Cargo.lock

@@ -25,6 +25,7 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 strum = { version = "0.28", features = ["derive"] }
 tokio = { version = "1", features = ["rt", "macros", "sync", "time", "fs", "net", "io-util", "process"] }
+hickory-proto = { version = "0.25", default-features = false }
 tokio-util = "0.7"
 toml = "1.0"
 tracing = "0.1"

patchbay/Cargo.toml

@@ -372,118 +372,76 @@ pub(crate) struct IfaceBuild {
 
 /// Per-device DNS host entries for `/etc/hosts` overlay.
 ///
-/// Each device gets a persistent hosts file at `<hosts_dir>/<node_id>.hosts`.
-/// A shared `resolv.conf` lives at `<hosts_dir>/resolv.conf`. Files are created
-/// at init with default content and bind-mounted into worker threads at startup.
-/// Subsequent `dns_entry()` / `set_nameserver()` calls just rewrite the file —
-/// glibc picks up changes via mtime check on next `getaddrinfo()`.
-pub(crate) struct DnsEntries {
-    /// Lab-wide entries applied to every device.
-    pub global: Vec<(String, IpAddr)>,
-    /// Per-device entries, keyed by device `NodeId`.
-    pub per_device: HashMap<NodeId, Vec<(String, IpAddr)>>,
-    /// Optional nameserver IP for `/etc/resolv.conf` overlay.
-    pub nameserver: Option<IpAddr>,
+/// Per-device `/etc/hosts` overlay and shared `resolv.conf`.
+///
+/// Each device gets a hosts file at `<hosts_dir>/<node_id>.hosts` and a shared
+/// `resolv.conf` at `<hosts_dir>/resolv.conf`, bind-mounted into worker threads.
+/// Lab-wide DNS records live in [`DnsServer`](crate::dns_server::DnsServer).
+pub(crate) struct DnsOverlayDir {
+    /// Nameservers for `/etc/resolv.conf` overlay.
+    pub nameservers: Vec<IpAddr>,
     /// Directory for generated hosts/resolv files.
     pub hosts_dir: PathBuf,
 }
 
-impl DnsEntries {
+impl DnsOverlayDir {
     fn new(prefix: &str) -> Result<Self> {
         let hosts_dir = std::env::temp_dir().join(format!("patchbay-{prefix}-hosts"));
         std::fs::create_dir_all(&hosts_dir).context("create hosts dir")?;
-        // Create initial resolv.conf with localhost as fallback nameserver.
-        // glibc and hickory-resolver need at least one nameserver entry.
-        let resolv_path = hosts_dir.join("resolv.conf");
         std::fs::write(
-            &resolv_path,
+            hosts_dir.join("resolv.conf"),
             "# generated by patchbay\nnameserver 127.0.0.53\n",
         )
         .context("write initial resolv.conf")?;
         Ok(Self {
-            global: Vec::new(),
-            per_device: HashMap::new(),
-            nameserver: None,
+            nameservers: Vec::new(),
             hosts_dir,
         })
     }
 
-    /// Returns the path to the hosts file for a device. Always valid after
-    /// `ensure_hosts_file()` has been called for this device.
     pub(crate) fn hosts_path_for(&self, device_id: NodeId) -> PathBuf {
         self.hosts_dir.join(format!("{}.hosts", device_id.0))
     }
 
-    /// Returns the path to the shared resolv.conf overlay.
     pub(crate) fn resolv_path(&self) -> PathBuf {
         self.hosts_dir.join("resolv.conf")
     }
 
-    /// Creates the hosts file for a device with default content if it doesn't exist.
+    /// Creates the default hosts file for a device if it doesn't exist.
     pub(crate) fn ensure_hosts_file(&self, device_id: NodeId) -> Result<()> {
         let path = self.hosts_path_for(device_id);
         if !path.exists() {
-            self.write_hosts_file(device_id)?;
+            std::fs::write(
+                &path,
+                "# generated by patchbay\n127.0.0.1\tlocalhost\n::1\tlocalhost\n",
+            )
+            .with_context(|| format!("write {}", path.display()))?;
         }
         Ok(())
     }
 
-    /// Writes (or rewrites) the hosts file for a single device.
-    pub(crate) fn write_hosts_file(&self, device_id: NodeId) -> Result<()> {
+    /// Appends a host entry to a device's hosts file.
+    pub(crate) fn append_host(&self, device_id: NodeId, name: &str, ip: IpAddr) -> Result<()> {
+        use std::io::Write;
         let path = self.hosts_path_for(device_id);
-        let mut buf =
-            String::from("# generated by patchbay\n127.0.0.1\tlocalhost\n::1\tlocalhost\n");
-        for (name, ip) in &self.global {
-            buf.push_str(&format!("{ip}\t{name}\n"));
-        }
-        if let Some(entries) = self.per_device.get(&device_id) {
-            for (name, ip) in entries {
-                buf.push_str(&format!("{ip}\t{name}\n"));
-            }
-        }
-        std::fs::write(&path, buf.as_bytes())
-            .with_context(|| format!("write {}", path.display()))?;
-        Ok(())
-    }
-
-    /// Rewrites hosts files for all given devices.
-    pub(crate) fn write_all_hosts_files(&self, device_ids: &[NodeId]) -> Result<()> {
-        for &id in device_ids {
-            self.write_hosts_file(id)?;
-        }
+        let mut f = std::fs::OpenOptions::new()
+            .append(true)
+            .open(&path)
+            .with_context(|| format!("open {}", path.display()))?;
+        writeln!(f, "{ip}\t{name}").with_context(|| format!("append to {}", path.display()))?;
         Ok(())
     }
 
-    /// Writes the resolv.conf file with the current nameserver setting.
     pub(crate) fn write_resolv_conf(&self) -> Result<()> {
         let path = self.resolv_path();
-        let content = match self.nameserver {
-            Some(ip) => format!("# generated by patchbay\nnameserver {ip}\n"),
-            None => "# generated by patchbay\n".to_string(),
-        };
+        let mut content = String::from("# generated by patchbay\n");
+        for ip in &self.nameservers {
+            content.push_str(&format!("nameserver {ip}\n"));
+        }
         std::fs::write(&path, content.as_bytes())
             .with_context(|| format!("write {}", path.display()))?;
         Ok(())
     }
-
-    /// Resolves a name using global + per-device entries. Returns the first match.
-    pub(crate) fn resolve(&self, device_id: Option<NodeId>, name: &str) -> Option<IpAddr> {
-        if let Some(id) = device_id {
-            if let Some(entries) = self.per_device.get(&id) {
-                for (n, ip) in entries {
-                    if n == name {
-                        return Some(*ip);
-                    }
-                }
-            }
-        }
-        for (n, ip) in &self.global {
-            if n == name {
-                return Some(*ip);
-            }
-        }
-        None
-    }
 }
 
 /// Per-region metadata stored in `NetworkCore`.
@@ -567,6 +525,8 @@ pub(crate) struct LabInner {
     pub ipv6_dad_mode: Ipv6DadMode,
     /// IPv6 provisioning behavior.
     pub ipv6_provisioning_mode: Ipv6ProvisioningMode,
+    /// In-process DNS server on the IX bridge (lazy, started on first access).
+    pub dns_server: std::sync::Mutex<Option<crate::dns_server::DnsServer>>,
     /// Writer task handle (kept alive until lab is dropped).
     pub writer_handle: std::sync::Mutex<Option<tokio::task::JoinHandle<()>>>,
     /// Test outcome flag shared with the writer and [`TestGuard`].
@@ -580,6 +540,9 @@ pub(crate) struct LabInner {
 impl Drop for LabInner {
     fn drop(&mut self) {
         self.cancel.cancel();
+        if let Some(dns) = self.dns_server.get_mut().unwrap().take() {
+            dns.shutdown();
+        }
 
         // Determine final status from the test guard.
         let status = match self.test_status.load(Ordering::Acquire) {
@@ -652,7 +615,7 @@ impl LabInner {
 pub(crate) struct NetworkCore {
     pub(crate) cfg: CoreConfig,
     /// DNS host entries for `/etc/hosts` overlay in spawned commands.
-    pub(crate) dns: DnsEntries,
+    pub(crate) dns: DnsOverlayDir,
     next_id: u64,
     next_private_subnet: u16,
     next_public_subnet: u16,
@@ -688,7 +651,7 @@ impl Drop for NetworkCore {
 impl NetworkCore {
     /// Constructs a new topology core and pre-creates the IX switch.
     pub(crate) fn new(cfg: CoreConfig) -> Result<Self> {
-        let dns = DnsEntries::new(&cfg.prefix).context("create DNS entries dir")?;
+        let dns = DnsOverlayDir::new(&cfg.prefix).context("create DNS entries dir")?;
         let mut core = Self {
             cfg,
             dns,
@@ -1682,13 +1645,6 @@ impl NetworkCore {
         Ok((ns, old_ip, new_ip, prefix_len))
     }
 
-    /// Adds a global DNS entry and writes all hosts files.
-    pub(crate) fn add_dns_entry(&mut self, name: &str, ip: IpAddr) -> Result<()> {
-        self.dns.global.push((name.to_string(), ip));
-        let ids: Vec<_> = self.all_device_ids();
-        self.dns.write_all_hosts_files(&ids)
-    }
-
     // ── Link target resolution ───────────────────────────────────────
 
     /// Resolves the `(namespace, ifname)` for impairment between two connected nodes.