feat: Add --random-src-port flag for censorship evasion

[selfishblackberry177]

Adds --random-src-port N CLI flag to use random source ports per DNS query.

Why

DNS tunnels using a single source port create an identifiable traffic pattern. Firewalls (GFW, GFI) can fingerprint this behavior since normal DNS clients typically use ephemeral ports per query. This change makes tunnel traffic indistinguishable from regular DNS.

How

When N > 0, spawns N worker tasks that each create a fresh UDP socket per query. The OS assigns a random ephemeral port to each socket, mimicking normal DNS client behavior.

Flag	Behavior
--random-src-port 0 (default)	Single shared socket (existing behavior)
--random-src-port 100	100 workers with ephemeral sockets

Usage

slipstream-client --resolver 1.1.1.1:53 --domain example.com --random-src-port 100

[Mygod]

Hi, thanks for the contribution. What is the traffic pattern produced by this change, and what is the rationale for choosing it?

[selfishblackberry177]

Hi

The rationale for this feature is to evade traffic fingerprinting and censorship by firewalls like the GFW or GFI, which can easily identify and block DNS tunnels that use a single, static source port. By spawning worker tasks that create fresh UDP sockets for each query, the tool mimics the behavior of standard DNS clients that naturally use ephemeral ports, thereby making the tunnel's traffic pattern indistinguishable from legitimate DNS activity and significantly harder to detect.

[Copilot]

Pull request overview

This PR adds a --random-src-port N CLI flag that enables DNS tunnel traffic to evade censorship by using random ephemeral source ports per DNS query, mimicking normal DNS client behavior instead of the identifiable single-port pattern.

Changes:

• Adds new worker pool implementation that creates ephemeral UDP sockets per DNS query
• Introduces DnsTransport enum to abstract over shared socket (existing) vs. pool-based (new) transport modes
• Updates runtime select loop to handle both transport modes with different receive patterns

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
crates/slipstream-ffi/src/lib.rs	Adds random_src_port_workers field to ClientConfig
crates/slipstream-client/src/main.rs	Adds --random-src-port CLI argument and passes it to config
crates/slipstream-client/src/dns.rs	Exports new DnsTransport and QueryResponse types
crates/slipstream-client/src/dns/pool.rs	New module implementing worker pool with ephemeral sockets and transport abstraction
crates/slipstream-client/src/dns/poll.rs	Updates send_poll_queries to use DnsTransport abstraction
crates/slipstream-client/src/runtime.rs	Updates main loop with dual select! branches for Shared vs Pool transport modes
crates/slipstream-client/src/runtime/setup.rs	Removes bind_udp_socket function (moved to pool.rs)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When using DnsTransport::Pool, local_addr_storage is not updated from addr_from (line 81-83 guards this), but line 84 still reads from local_addr_storage to populate resolver.local_addr_storage. This pattern differs from runtime.rs line 367 where resolver.local_addr_storage is set directly from addr_from. For Pool transport with ephemeral sockets, resolver.local_addr_storage will contain stale or zeroed data. While this might be intentional since each pool query uses a different ephemeral socket, the inconsistent pattern and lack of documentation makes the correctness unclear. Consider either using addr_from directly for Pool mode or adding comments explaining why stale data is acceptable.

Suggested change

	*local_addr_storage = addr_from;
	}
	resolver.local_addr_storage = Some(unsafe { std::ptr::read(local_addr_storage) });
	// In Shared mode, keep the externally managed local_addr_storage in sync
	*local_addr_storage = addr_from;
	resolver.local_addr_storage = Some(unsafe { std::ptr::read(local_addr_storage) });
	} else {
	// In Pool mode, each query uses its own ephemeral socket; use the current addr_from directly
	resolver.local_addr_storage = Some(addr_from);
	}

[selfishblackberry177]

I didn't understand, what should I do for this comment?

[Copilot]

The shared Mutex for request_rx (line 33) means all workers contend for the same lock when trying to receive requests. This creates a bottleneck where workers must serialize their access to the queue. Consider using an alternative pattern such as: (1) using multiple channels with one per worker and round-robin distribution, or (2) using a lock-free channel like crossbeam-channel, or (3) accepting this design if the DNS query latency dominates over lock contention.

[selfishblackberry177]

Workers share a Mutex-wrapped receiver. While this serializes request dispatch, the lock is only held briefly during recv(). DNS network I/O (10-1000ms) vastly dominates the lock acquisition time (microseconds), making contention negligible. Alternative approaches (per-worker channels, crossbeam) add complexity without meaningful throughput improvement for this I/O-bound workload.

[Copilot]

The new DnsQueryPool and DnsTransport implementations lack test coverage. Since other modules in this project have unit tests (e.g., dns/resolver.rs, main.rs), consider adding tests for the pool functionality. Key behaviors to test include: worker task spawning and shutdown, query request/response flow, timeout handling, ephemeral socket creation, and transport mode selection based on worker count.

[Copilot]

The spawned worker tasks are not tracked or joined on shutdown. When DnsQueryPool is dropped, the request_tx will be dropped which will cause workers to exit, but there's no mechanism to wait for graceful shutdown or track task handles. Consider storing JoinHandles and implementing Drop to await worker completion, preventing potential resource leaks or incomplete operations during shutdown.

[selfishblackberry177]

I don't think grace shutdown is necessary for this project now. And handling it is a bit of more than needed complexity.

[selfishblackberry177]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 81641a2420

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[selfishblackberry177]

@Mygod Would you please review this? I guess I'm finished.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bce2a0dadf

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Surface pool send failures to callers

In the pool transport, worker send failures are only logged and the worker returns, but the caller already received Ok(()) from DnsQueryPool::send when it enqueued the request. That means bind/send failures (e.g., ephemeral port exhaustion or temporary network errors) are silently dropped while the caller proceeds as if the query was transmitted, updating inflight counters and pacing. This can stall or heavily degrade the tunnel because no retry is triggered for these failed sends.

Useful? React with 👍 / 👎.

[selfishblackberry177]

Is this suggestion valid? I'm not sure.