From 061136508ec3e5492c1ecaaee6e61c1f7d9b9fbf Mon Sep 17 00:00:00 2001 From: Eugene Burkov Date: Tue, 18 Jan 2022 14:20:25 +0300 Subject: [PATCH] Pull request: 4120 service domain validation Merge in DNS/adguard-home from 4120-fix-services to master Closes #4120. Squashed commit of the following: commit ca2e5faf64f567cc6647a300181712236158e69d Author: Eugene Burkov Date: Tue Jan 18 14:14:54 2022 +0300 dnsforward: imp docs commit 9ed5f536e691dcdee5b7c94e161c738d31ff8588 Author: Eugene Burkov Date: Tue Jan 18 13:50:33 2022 +0300 dnsforward: fix reverse domain validation --- CHANGELOG.md | 2 ++ go.mod | 2 +- go.sum | 3 ++- internal/dnsforward/dns.go | 17 +++++++++++++++-- 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 78ea8efd..896efc0a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ TODO(a.garipov): Remove this deprecation, if v0.108.0 is released before the Go ### Fixed +- Incorrectly invalidated service domains ([#4120]). - Poor testing of domain-specific upstream servers ([#4074]). - Omitted aliases of hosts specified by another line within the OS's hosts file ([#4079]). @@ -40,6 +41,7 @@ TODO(a.garipov): Remove this deprecation, if v0.108.0 is released before the Go [#3057]: https://github.com/AdguardTeam/AdGuardHome/issues/3057 [#4074]: https://github.com/AdguardTeam/AdGuardHome/issues/4074 [#4079]: https://github.com/AdguardTeam/AdGuardHome/issues/4079 +[#4120]: https://github.com/AdguardTeam/AdGuardHome/issues/4120 diff --git a/go.mod b/go.mod index 7d838550..9a9e743f 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.17 require ( github.com/AdguardTeam/dnsproxy v0.40.4 - github.com/AdguardTeam/golibs v0.10.3 + github.com/AdguardTeam/golibs v0.10.4 github.com/AdguardTeam/urlfilter v0.15.1 github.com/NYTimes/gziphandler v1.1.1 github.com/ameshkov/dnscrypt/v2 v2.2.3 diff --git a/go.sum b/go.sum index db1d9ced..3037daf0 100644 --- a/go.sum +++ b/go.sum @@ -12,8 +12,9 @@ github.com/AdguardTeam/dnsproxy v0.40.4/go.mod h1:PZ9l22h3Er+5mxFQB7oHZMTvx+aa9R github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.9.2/go.mod h1:fCAMwPBJ8S7YMYbTWvYS+eeTLblP5E04IDtNAo7y7IY= -github.com/AdguardTeam/golibs v0.10.3 h1:FBgk17zf35ESVWQKIqEUiqqB2bDaCBC8X5vMU760yB4= github.com/AdguardTeam/golibs v0.10.3/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw= +github.com/AdguardTeam/golibs v0.10.4 h1:TMBkablZC0IZOpRgg9fzAKlxxNhSN2YJq7qbgtuZ7PQ= +github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw= github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU= github.com/AdguardTeam/urlfilter v0.15.1 h1:dP6S7J6eFAk8MN4IDpUq2fZoBo8K8fmc6pXpxNIv84M= github.com/AdguardTeam/urlfilter v0.15.1/go.mod h1:EwXwrYhowP7bedqmOrmKKmQtpBYFyDNEBFQ+lxdUgQU= diff --git a/internal/dnsforward/dns.go b/internal/dnsforward/dns.go index 5c3db14f..d9e04b80 100644 --- a/internal/dnsforward/dns.go +++ b/internal/dnsforward/dns.go @@ -352,9 +352,22 @@ func (s *Server) processRestrictLocal(ctx *dnsContext) (rc resultCode) { ip, err := netutil.IPFromReversedAddr(q.Name) if err != nil { - log.Debug("dns: reversed addr: %s", err) + log.Debug("dns: parsing reversed addr: %s", err) - return resultCodeError + // DNS-Based Service Discovery uses PTR records having not an ARPA + // format of the domain name in question. Those shouldn't be + // invalidated. See http://www.dns-sd.org/ServerStaticSetup.html and + // RFC 2782. + name := strings.TrimSuffix(q.Name, ".") + if err = netutil.ValidateSRVDomainName(name); err != nil { + log.Debug("dns: validating service domain: %s", err) + + return resultCodeError + } + + log.Debug("dns: request is for a service domain") + + return resultCodeSuccess } // Restrict an access to local addresses for external clients. We also