dvershinin
diff --git a/‎docs/en/index.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/en/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/en/plugins/missing_resolver.md‎
Lines changed: 184 additions & 0 deletions b/‎docs/en/plugins/missing_resolver.md‎
Lines changed: 184 additions & 0 deletions
diff --git a/‎gixy/directives/directive.py‎
Lines changed: 33 additions & 1 deletion b/‎gixy/directives/directive.py‎
Lines changed: 33 additions & 1 deletion
@@ -47,6 +47,7 @@ Right now Gixy can find:
 *   [[try_files_is_evil_too] try_files without open_file_cache](plugins/try_files_is_evil_too.md)
 *   [[worker_rlimit_nofile_vs_connections] Worker connections vs rlimit](plugins/worker_rlimit_nofile_vs_connections.md)
 *   [[low_keepalive_requests] Low keepalive_requests value](plugins/low_keepalive_requests.md)
+*   [[missing_resolver] Static DNS resolution in proxy_pass](plugins/missing_resolver.md)
 
 You can find things that Gixy is learning to detect at [Issues labeled with "new plugin"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)
 
 
@@ -0,0 +1,184 @@
+# [missing_resolver] Static DNS Resolution in proxy_pass
+
+Detects `proxy_pass` (and related) configurations where hostnames are resolved only at nginx startup, potentially causing requests to be sent to stale IP addresses.
+
+## Why it matters
+
+When you use a hostname directly in `proxy_pass`:
+
+```nginx
+proxy_pass https://api.example.com;
+```
+
+Nginx resolves the DNS **once at startup** and caches that IP forever. If the IP changes (common with cloud load balancers, CDNs, or failover scenarios), nginx will continue sending traffic to the old IP until restarted.
+
+This can cause:
+- **Service outages** when backend IPs change
+- **Security issues** if old IPs are reassigned to malicious actors
+- **Load balancing failures** when using DNS-based load balancing
+
+## Smart Detection Features
+
+This plugin goes beyond simple suffix matching:
+
+### 🔥 Cloud Provider Detection (HIGH severity)
+Automatically detects endpoints from major cloud providers where IPs change frequently:
+- **AWS**: ELB, CloudFront, API Gateway, Elastic Beanstalk, Lambda URLs, S3
+- **Google Cloud**: Cloud Run, Cloud Functions, App Engine, Google APIs
+- **Azure**: App Service, API Management, CDN, Traffic Manager, Blob Storage
+- **Cloudflare**: Workers, Pages
+- **PaaS**: Heroku, Vercel, Netlify, Railway, Render, Fly.io, DigitalOcean App Platform
+
+### 🎯 Proper TLD Classification
+- Recognizes 100+ public TLDs (not just checking for a dot)
+- Supports compound TLDs: `.co.uk`, `.com.au`, `.co.jp`, etc.
+- Won't false-positive on internal hostnames
+
+### 🐳 Container Orchestration Awareness
+Automatically skips internal service discovery patterns:
+- **Kubernetes**: `.svc.cluster.local`, `.pod.cluster.local`, `.default.svc`
+- **Docker**: `.docker.internal`
+- **Consul**: `.service.consul`, `.node.consul`
+- **Mesos**: `.marathon.mesos`
+- **Rancher**: `.rancher.internal`
+
+### 🔍 Resolver Directive Checking
+Detects when you use a variable but forgot to configure the `resolver` directive:
+
+```nginx
+# This WON'T re-resolve without a resolver directive!
+set $backend api.example.com;
+proxy_pass http://$backend;  # ← Plugin will warn about missing resolver
+```
+
+### 📦 Upstream Analysis
+Checks upstream blocks for servers without the `resolve` parameter:
+
+```nginx
+upstream backend {
+    server api.example.com;  # ← No 'resolve' = static DNS
+}
+```
+
+## What triggers this check
+
+| Pattern | Severity | Example |
+|---------|----------|---------|
+| Cloud provider endpoints | **HIGH** | `proxy_pass https://my-app.herokuapp.com;` |
+| Public domain hostnames | MEDIUM | `proxy_pass https://api.example.com;` |
+| Variable without resolver | MEDIUM | `set $x host.com; proxy_pass http://$x;` |
+| Upstream without resolve | MEDIUM | `upstream { server host.com; }` |
+
+## What doesn't trigger (false positives avoided)
+
+- ✅ IP addresses (no DNS resolution needed)
+- ✅ Unix sockets (`unix:/path/to/socket`)
+- ✅ Internal domains (`.internal`, `.local`, `.lan`, `.corp`, `.home`, etc.)
+- ✅ Single-label hostnames (`proxy_pass http://backend;`)
+- ✅ Kubernetes services (`.svc.cluster.local`)
+- ✅ Consul services (`.service.consul`)
+- ✅ Docker internal (`.docker.internal`)
+- ✅ URLs with variables AND resolver configured
+- ✅ Upstream servers with `resolve` parameter
+
+## Examples
+
+### Bad: Cloud provider endpoint (HIGH severity)
+
+```nginx
+# CRITICAL: AWS ELB IPs change constantly!
+location /api {
+    proxy_pass https://my-app-123456789.us-east-1.elb.amazonaws.com;
+}
+```
+
+### Bad: Static hostname (MEDIUM severity)
+
+```nginx
+# DNS resolved once at startup
+location /api {
+    proxy_pass https://api.example.com;
+}
+```
+
+### Bad: Variable without resolver
+
+```nginx
+# Variable alone doesn't enable re-resolution!
+set $backend api.example.com;
+proxy_pass http://$backend;
+```
+
+### Bad: Upstream without resolve
+
+```nginx
+upstream backend {
+    server api.example.com:8080;  # No resolve parameter
+}
+
+server {
+    location / {
+        proxy_pass http://backend;
+    }
+}
+```
+
+### Good: Variable with resolver
+
+```nginx
+resolver 8.8.8.8 valid=30s;
+
+server {
+    location /api {
+        set $backend api.example.com;
+        proxy_pass https://$backend;
+    }
+}
+```
+
+### Good: Upstream with resolve (nginx 1.27.3+)
+
+```nginx
+resolver 8.8.8.8;
+
+upstream backend {
+    server api.example.com:8080 resolve;
+}
+
+server {
+    location / {
+        proxy_pass http://backend;
+    }
+}
+```
+
+### Good: Internal service (auto-skipped)
+
+```nginx
+# Kubernetes service - plugin knows this is internal
+proxy_pass http://api-service.default.svc.cluster.local;
+```
+
+## Directives Checked
+
+This plugin analyzes all proxy-related directives:
+- `proxy_pass`
+- `fastcgi_pass`
+- `uwsgi_pass`
+- `scgi_pass`
+- `grpc_pass`
+
+## Configuration
+
+Disable this plugin in `.gixy.yml`:
+
+```yaml
+plugins:
+  missing_resolver: false
+```
+
+## References
+
+- [nginx resolver directive](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver)
+- [nginx upstream server resolve parameter](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#server)
+- [NGINX Blog: DNS Service Discovery](https://www.nginx.com/blog/dns-service-discovery-nginx-plus/)
@@ -67,7 +67,17 @@ def find_single_directive_in_scope(self, name):
                 return directive
         return None
 
-
+    def find_imperative_directives_in_scope(self, name, ancestors=True):
+        """Find imperative directives (like upstream blocks) in the current scope.
+        
+        Unlike find_directives_in_scope which looks for directives before this one,
+        this method finds blocks/directives that can be referenced from anywhere
+        (like upstream blocks which are defined at http level but used in server/location).
+        """
+        for parent in self.parents:
+            yield from parent.find(name, flat=False)
+            if not ancestors:
+                break
 
     def __str__(self):
         return f"{self.name} {' '.join(self.args)};"
@@ -234,6 +244,28 @@ def __init__(self, name, args):
         self.path = args[0]
 
 
+def is_ipv6(host, strip_brackets=True):
+    """Check if a string is an IPv6 address (may include port)."""
+    if strip_brackets and host.startswith("[") and "]" in host:
+        host = host.split("]")[0][1:]
+    try:
+        ipaddress.IPv6Address(host)
+        return True
+    except ValueError:
+        return False
+
+
+def is_ipv4(host, strip_port=True):
+    """Check if a string is an IPv4 address (may include port)."""
+    if strip_port:
+        host = host.rsplit(":", 1)[0]
+    try:
+        ipaddress.IPv4Address(host)
+        return True
+    except ValueError:
+        return False
+
+
 def is_local_ipv6(ip):
     """
     Check if an IPv6 address is a local address