Skip to content

fix(dns): validate nameserver addresses are valid IP addresses#534

Open
cluster2600 wants to merge 1 commit intoapple:mainfrom
cluster2600:fix/467-validate-nameserver-ip-addresses
Open

fix(dns): validate nameserver addresses are valid IP addresses#534
cluster2600 wants to merge 1 commit intoapple:mainfrom
cluster2600:fix/467-validate-nameserver-ip-addresses

Conversation

@cluster2600
Copy link

@cluster2600 cluster2600 commented Feb 18, 2026

What

Add a DNS.validate() method that verifies all nameserver entries are valid IPv4 or IPv6 addresses. The method is called from Vminitd.configureDNS() before applying the configuration.

Why

Closes #467. Currently, any arbitrary string can be passed as a nameserver in DNSConfiguration, which silently results in an invalid /etc/resolv.conf inside the container. Hostname strings like dns.example.com would be written to resolv.conf but would not work as nameservers.

How

  • Added DNS.validate() throws method in DNSConfiguration.swift that iterates over all nameservers and attempts to parse each as either an IPv4Address or IPv6Address (using the existing parsers in ContainerizationExtras)
  • Added import ContainerizationExtras to DNSConfiguration.swift (the Containerization target already depends on ContainerizationExtras)
  • Called config.validate() at the start of Vminitd.configureDNS() so validation happens before any GRPC call

Testing

Added 6 new unit tests in DNSTests.swift:

  • ✅ Valid IPv4 nameservers accepted
  • ✅ Valid IPv6 nameservers accepted
  • ✅ Mixed IPv4/IPv6 nameservers accepted
  • ✅ Empty nameserver list accepted
  • ❌ Hostname rejected
  • ❌ Invalid address rejected

Checklist

  • Tests added
  • No breaking changes to existing API (validate() is a new method, existing init is unchanged)
  • Follows existing patterns (uses ContainerizationExtras IP address types, ContainerizationError for errors)

@cluster2600
fix(dns): validate nameserver addresses are valid IP addresses
bc302e3 
Resolves apple#467.

Previously, any arbitrary string could be passed as a nameserver in
DNS configuration, which would silently result in an invalid
/etc/resolv.conf inside the container.

This change adds a DNS.validate() method that ensures every nameserver
string is a valid IPv4 or IPv6 address (using the existing
ContainerizationExtras parsers). The method is called from
Vminitd.configureDNS() before applying the configuration.

Tests added to DNSTests.swift covering valid IPv4, IPv6, mixed, empty
nameserver lists, and invalid hostname/address rejection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Request]: IPv6: validate nameserver addresses in DNSConfiguration

1 participant

@cluster2600

Comments