feat(codefull.gs): edge-cache DNS to skip tunnel-node round-trip#494
Merged
therealaleph merged 1 commit intotherealaleph:mainfrom Apr 29, 2026
Merged
Conversation
github-actions
Bot
added
the
type: feature
therealaleph
added a commit
that referenced
this pull request
Apr 29, 2026
…p + hotspot sharing Three substantive PRs landed for this release plus an Iran-safe DoH default: - #488 by @dazzling-no-more (with credit to @patterniha): fronting_groups config field generalizes the Google-edge SNI-rewrite trick to any multi-tenant CDN edge (Vercel, Fastly, etc.). Renames `mode = "google_only"` → `mode = "direct"` with a deprecated alias keeping existing configs working. This is the v1.9.0 headline — new top-level config field + public mode-string rename are minor-bump territory. xmux moves to v1.10.0. - #494 by @dazzling-no-more: edge-cache DNS at Apps Script (CodeFull.gs) using CacheService. udp_open / port=53 ops served from cache or DoH fallback chain (Cloudflare → Google → Quad9). Cache hits drop typical first-hop DNS latency from 600-1200ms to 200-400ms. Default-on, opt-out via ENABLE_EDGE_DNS_CACHE; every failure mode falls through to existing tunnel-node forward path (zero regression). - #483 by @yyoyoian-pixel: default listen_host from 127.0.0.1 to 0.0.0.0 so an Android phone running the tunnel + an iPhone/laptop on the same hotspot can use it as proxy. Old configs with explicit 127.0.0.1 are honored (not overwritten). Plus: default `tunnel_doh: true` (flipped from false in v1.8.x) per #468 — Iran ISPs filter direct connections to dns.google, chrome.cloudflare-dns.com, and other pinned DoH hosts. The bypass-on default silently broke DNS for the dominant Iranian userbase. The safe default keeps DoH inside the tunnel; non-Iran users can opt back into the bypass for the latency win. Backwards-compatible — any config with explicit tunnel_doh keeps its setting. 169 mhrv-rs lib tests + 33 tunnel-node tests + 11 edge-DNS JS tests all passing. Clean release + UI builds.
This was referenced Apr 29, 2026
Closed
|
great commit keep it going champ 👍 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
udp_open/port=53 ops in_doTunnelBatchand serve them fromCacheService(cache hit) or DoH (cache miss), so plain DNS no longer trans-Atlantics through the tunnel-node. Cache hits drop typical first-hop DNS latency from ~600–1200 ms to ~200–400 ms.CodeFull.gs(full-tunnel mode only — apps_script mode has no UDP path). No Rust/client changes; the synthesized{sid, pkts, eof:true}shape matches what the tunnel-node returns today, somux.udp_openconsumes it transparently.ENABLE_EDGE_DNS_CACHE. Every failure mode (parse error, resolver outage, key-too-long,cache.putrejection) returnsnullfrom_edgeDnsTryand falls through to the existing tunnel-node forward path — zero regression vs today on any failure.What's in it
_dnsParseQuestion,_dnsMinTtl,_dnsSkipName,_dnsRewriteTxid) — handle name-pointer compression in answers, RFC 2181 §8 TTL high-bit clamp, and txid rewrite per RFC 1035 §4.1.1 so cached replies match the request's transaction id.?dns=<base64url>). One resolver per attempt; failure cycles to next.edns:<qtype>:<lowercase qname>, guarded against the 250-char CacheService limit. Per-qtype keying keeps A and AAAA from colliding.[30 s, 6 h]. NXDOMAIN/SERVFAIL get a 45 s negative cache; NODATA-with-SOA honors the SOA TTL per RFC 2308 §5._spliceTunnelResults) factored out so mixed batches (TCPconnect/data+ DNSudp_open) preserve original op-index ordering. Length-mismatch guard fails closed instead of routing TCP responses to UDP sids.qdcount !== 1) bypass the cache and forward to the tunnel-node.Why not Sheets (like #443)?
Sheets reads/writes from GAS run 100–500 ms per op — often slower than the DoH lookup we'd be caching, and a daily-quota hazard. They also persist a Drive-listed log of every domain users resolve, which is a real privacy regression for users in censorship contexts.
CacheServiceis ~10 ms, volatile, free, and has no on-disk artifact. #443's Sheets pattern is correct for HTTP response caching (large bodies, longer TTLs, value as analytics surface); it's the wrong shape for DNS hot-path.Tests
node assets/apps_script/tests/edge_dns_test.js— 11 pure-JS tests covering the parsers, txid non-mutation, TTL high-bit clamp, NXDOMAIN-with-SOA TTL extraction, malformed/truncated input rejection, and splice correctness for mixed batches.Known v1 tradeoffs (deferred)
UrlFetchApp.fetchAllfor parallel misses; deferred because it forces an unrelated design call on resolver-fallback strategy under parallel fetches.