diff --git a/CHANGELOG.md b/CHANGELOG.md index 8389f5b9..b51e30fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,8 @@ and this project adheres to ### Changed +- Proxied DNS-over-HTTPS queries are now only accepted from proxy servers on the + `trusted_proxies` list ([#2799]). - Clients who are blocked by access settings now receive a `REFUSED` response when a protocol other than DNS-over-UDP and DNSCrypt is used. - `querylog_interval` setting is now formatted in hours. @@ -60,6 +62,7 @@ and this project adheres to ### Fixed +- Wrong IP address for proxied DNS-over-HTTPS queries ([#2799]). - Domain name letter case mismatches in DNS rewrites ([#3351]). - Conflicts between IPv4 and IPv6 DNS rewrites ([#3343]). - Letter case mismatches in `CNAME` filtering ([#3335]). @@ -89,6 +92,7 @@ and this project adheres to [#2504]: https://github.com/AdguardTeam/AdGuardHome/issues/2504 [#2624]: https://github.com/AdguardTeam/AdGuardHome/issues/2624 [#2763]: https://github.com/AdguardTeam/AdGuardHome/issues/2763 +[#2799]: https://github.com/AdguardTeam/AdGuardHome/issues/2799 [#3012]: https://github.com/AdguardTeam/AdGuardHome/issues/3012 [#3013]: https://github.com/AdguardTeam/AdGuardHome/issues/3013 [#3136]: https://github.com/AdguardTeam/AdGuardHome/issues/3136 diff --git a/go.mod b/go.mod index 1165bf79..c46b58cb 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome go 1.16 require ( - github.com/AdguardTeam/dnsproxy v0.38.3 + github.com/AdguardTeam/dnsproxy v0.39.0 github.com/AdguardTeam/golibs v0.8.0 github.com/AdguardTeam/urlfilter v0.14.6 github.com/NYTimes/gziphandler v1.1.1 diff --git a/go.sum b/go.sum index 4760bc7e..c5a4574d 100644 --- a/go.sum +++ b/go.sum @@ -11,6 +11,8 @@ github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI= github.com/AdguardTeam/dnsproxy v0.38.3 h1:DvycTEOn2wuHmY+HE5XL4EnCV2EVbpREpbgZB06IJ0I= github.com/AdguardTeam/dnsproxy v0.38.3/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0= +github.com/AdguardTeam/dnsproxy v0.39.0 h1:5/PN2mpUeCTWtvqXUbSPTMJSOad4lJscPzm+C2f4jB4= +github.com/AdguardTeam/dnsproxy v0.39.0/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0= github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0= @@ -105,6 +107,7 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8= github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= +github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/joomcode/errorx v1.0.1/go.mod h1:kgco15ekB6cs+4Xjzo7SPeXzx38PbJzBwbnu9qfVNHQ= github.com/joomcode/errorx v1.0.3 h1:3e1mi0u7/HTPNdg6d6DYyKGBhA5l9XpsfuVE29NxnWw= diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go index 5a7c81d7..712a26c0 100644 --- a/internal/dnsforward/config.go +++ b/internal/dnsforward/config.go @@ -94,6 +94,11 @@ type FilteringConfig struct { AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked + // TrustedProxies is the list of IP addresses and CIDR networks to + // detect proxy servers addresses the DoH requests from which should be + // handled. The value of nil or an empty slice for this field makes + // Proxy not trust any address. + TrustedProxies []string `yaml:"trusted_proxies"` // DNS cache settings // -- @@ -210,6 +215,7 @@ func (s *Server) createProxyConfig() (proxy.Config, error) { Ratelimit: int(s.conf.Ratelimit), RatelimitWhitelist: s.conf.RatelimitWhitelist, RefuseAny: s.conf.RefuseAny, + TrustedProxies: s.conf.TrustedProxies, CacheMinTTL: s.conf.CacheMinTTL, CacheMaxTTL: s.conf.CacheMaxTTL, CacheOptimistic: s.conf.CacheOptimistic, diff --git a/internal/dnsforward/dnsforward.go b/internal/dnsforward/dnsforward.go index a28142ba..63bb58f7 100644 --- a/internal/dnsforward/dnsforward.go +++ b/internal/dnsforward/dnsforward.go @@ -227,6 +227,7 @@ func (s *Server) WriteDiskConfig(c *FilteringConfig) { c.AllowedClients = aghstrings.CloneSlice(sc.AllowedClients) c.DisallowedClients = aghstrings.CloneSlice(sc.DisallowedClients) c.BlockedHosts = aghstrings.CloneSlice(sc.BlockedHosts) + c.TrustedProxies = aghstrings.CloneSlice(sc.TrustedProxies) c.UpstreamDNS = aghstrings.CloneSlice(sc.UpstreamDNS) } diff --git a/internal/home/config.go b/internal/home/config.go index 7b353ed9..b3536210 100644 --- a/internal/home/config.go +++ b/internal/home/config.go @@ -179,6 +179,8 @@ var config = configuration{ RefuseAny: true, AllServers: false, + TrustedProxies: []string{"127.0.0.0/8", "::1/128"}, + // set default maximum concurrent queries to 300 // we introduced a default limit due to this: // https://github.com/AdguardTeam/AdGuardHome/issues/2015#issuecomment-674041912