blocks direct Ip.

cmd/ctrld_library/netstack/README.md

@@ -6,8 +6,9 @@ Complete TCP/UDP/DNS packet capture implementation using gVisor netstack for And
 
 Provides full packet capture for mobile VPN applications:
 - **DNS filtering** through ControlD proxy
-- **TCP forwarding** for all TCP traffic
-- **UDP forwarding** with session tracking
+- **IP whitelisting** - only allows connections to DNS-resolved IPs
+- **TCP forwarding** for all TCP traffic (with whitelist enforcement)
+- **UDP forwarding** with session tracking (with whitelist enforcement)
 - **Socket protection** to prevent routing loops
 - **QUIC blocking** for better content filtering
 
@@ -29,16 +30,19 @@ Real Network (Protected Sockets)
 ## Components
 
 ### DNS Filter (`dns_filter.go`)
-Detects DNS packets on port 53 and routes to ControlD proxy.
+Detects DNS packets on port 53, routes to ControlD proxy, and extracts resolved IPs.
 
 ### DNS Bridge (`dns_bridge.go`)
 Tracks DNS queries by transaction ID with 5-second timeout.
 
+### IP Tracker (`ip_tracker.go`)
+Maintains whitelist of DNS-resolved IPs with 5-minute TTL.
+
 ### TCP Forwarder (`tcp_forwarder.go`)
-Forwards TCP connections using gVisor's `tcp.NewForwarder()`.
+Forwards TCP connections using gVisor's `tcp.NewForwarder()`. Blocks non-whitelisted IPs.
 
 ### UDP Forwarder (`udp_forwarder.go`)
-Forwards UDP packets with session tracking and 60-second idle timeout.
+Forwards UDP packets with 30-second read deadline. Blocks non-whitelisted IPs.
 
 ### Packet Handler (`packet_handler.go`)
 Interface for TUN I/O and socket protection.
@@ -125,6 +129,34 @@ Drops UDP packets on ports 443 and 80 to force TCP fallback:
 - No user-visible errors
 - Slightly slower initial connection, then normal
 
+## IP Blocking (DNS Bypass Prevention)
+
+Enforces whitelist approach: ONLY allows connections to IPs resolved through ControlD DNS.
+
+**How it works:**
+1. DNS responses are parsed to extract A and AAAA records
+2. Resolved IPs are tracked in memory whitelist for 5 minutes
+3. TCP/UDP connections to **non-whitelisted** IPs are **BLOCKED**
+4. Only IPs that went through DNS resolution are allowed
+
+**Why:**
+- Prevents DNS bypass via hardcoded/cached IPs
+- Ensures ALL traffic must go through ControlD DNS first
+- Blocks apps that try to skip DNS filtering
+- Enforces strict ControlD policy compliance
+
+**Example:**
+```
+✅ ALLOWED:  App queries "example.com" → 93.184.216.34 → connects to 93.184.216.34
+❌ BLOCKED:  App connects directly to 1.2.3.4 (not resolved via DNS)
+```
+
+**Components:**
+- `ip_tracker.go` - Manages whitelist of DNS-resolved IPs with TTL
+- `dns_filter.go` - Extracts IPs from DNS responses for whitelist
+- `tcp_forwarder.go` - Allows only whitelisted IPs, blocks others
+- `udp_forwarder.go` - Allows only whitelisted IPs, blocks others
+
 ## Usage (Android)
 
 ```kotlin
@@ -196,10 +228,11 @@ proxy.startFirewall(
 
 - `packet_handler.go` - TUN I/O interface
 - `netstack.go` - gVisor controller
-- `dns_filter.go` - DNS packet detection
+- `dns_filter.go` - DNS packet detection and IP extraction
 - `dns_bridge.go` - Transaction tracking
-- `tcp_forwarder.go` - TCP forwarding
-- `udp_forwarder.go` - UDP forwarding
+- `ip_tracker.go` - DNS-resolved IP whitelist with TTL
+- `tcp_forwarder.go` - TCP forwarding with whitelist enforcement
+- `udp_forwarder.go` - UDP forwarding with whitelist enforcement
 
 ## License