Isolate the DNS resolver into its own compartment.

In the current implementation, the TCP/IP compartment is responsible for
DNS, which allows it to spoof translations to bypass connection
capabilities and create arbitrary firewall entries.

To prevent this, we must isolate the DNS resolver into its own
compartment that plugs directly at the firewall-level.

Since neither the FreeRTOS+TCP resolver nor existing resolver libraries
are meant to run directly at the Ethernet level, and most are too
heavyweight, we write our own one.

Similarly to the FreeRTOS+TCP resolver, this implementation is a stub
resolver: it only supports IPv4 recursive servers for A, AAAA, and CNAME
queries. This resolver also assumes that the recursive resolver recurses
into CNAME records.

The address of the DNS server is provided by the DHCP server. This may
be overly restrictive - we should evolve it in future PRs or eventually
replace it with something more featureful as the need arises.

Since the resolver plugs directly with the firewall, it needs to know
its own IP address, the IP address of the DNS server, its own MAC
address, as well as the MAC address of the DNS server (or that of the
gateway if the server is outside of the local network). The MAC address
of the device is obtained from the firewall. The IP address of the
device, of the DNS server, and the MAC address of the server/gateway are
obtained from DHCP and ARP, whose corresponding packets are also
forwarded to the DNS compartment.

Signed-off-by: Hugo Lefeuvre <[email protected]>

examples/01.SNTP/xmake.lua

@@ -28,7 +28,7 @@ compartment("sntp_example")
 
 firmware("01.sntp_example")
   set_policy("build.warning", true)
-  add_deps("TCPIP", "Firewall", "NetAPI", "SNTP", "sntp_example", "atomic8", "time_helpers", "debug")
+  add_deps("DNS", "TCPIP", "Firewall", "NetAPI", "SNTP", "sntp_example", "atomic8", "time_helpers", "debug")
   -- stdio only needed for debug prints in SNTP, can be removed with --debug-sntp=n
   add_deps("stdio")
   on_load(function(target)

examples/02.HTTP/xmake.lua

@@ -28,7 +28,7 @@ compartment("http_example")
 
 firmware("02.http_example")
   set_policy("build.warning", true)
-  add_deps("TCPIP", "Firewall", "NetAPI", "http_example", "atomic8", "debug")
+  add_deps("DNS", "TCPIP", "Firewall", "NetAPI", "http_example", "atomic8", "debug")
   on_load(function(target)
     target:values_set("board", "$(board)")
     target:values_set("threads", {

examples/03.HTTPS/xmake.lua

@@ -18,7 +18,7 @@ option("board")
 
 compartment("https_example")
   add_includedirs("../../include")
-  add_deps("freestanding", "TCPIP", "NetAPI", "TLS", "Firewall", "SNTP", "time_helpers", "debug")
+  add_deps("freestanding", "DNS", "TCPIP", "NetAPI", "TLS", "Firewall", "SNTP", "time_helpers", "debug")
   add_files("https.cc")
   on_load(function(target)
     target:add('options', "IPv6")

examples/04.MQTT/xmake.lua

@@ -18,7 +18,7 @@ option("board")
 
 compartment("mqtt_example")
   add_includedirs("../../include")
-  add_deps("freestanding", "TCPIP", "NetAPI", "TLS", "Firewall", "SNTP", "MQTT", "time_helpers", "debug")
+  add_deps("freestanding", "DNS", "TCPIP", "NetAPI", "TLS", "Firewall", "SNTP", "MQTT", "time_helpers", "debug")
   -- stdio only needed for debug prints in MQTT, can be removed with --debug-mqtt=n
   add_deps("stdio")
   add_files("mqtt.cc")

examples/05.HTTP_SERVER/xmake.lua

@@ -28,7 +28,7 @@ compartment("http_server_example")
 
 firmware("05.http_server_example")
   set_policy("build.warning", true)
-  add_deps("TCPIP", "Firewall", "NetAPI", "http_server_example", "atomic8", "debug")
+  add_deps("DNS", "TCPIP", "Firewall", "NetAPI", "http_server_example", "atomic8", "debug")
   on_load(function(target)
     target:values_set("board", "$(board)")
     target:values_set("threads", {