+ dns: support blocking_mode=custom_ip
This commit is contained in:
Simon Zolin
Ildar Kamalov
parent
26ccee47b5
commit
4f4da3397c
|
|
@ -819,7 +819,9 @@ Response:
|
||||||
{
|
{
|
||||||
"protection_enabled": true | false,
|
"protection_enabled": true | false,
|
||||||
"ratelimit": 1234,
|
"ratelimit": 1234,
|
||||||
"blocking_mode": "nxdomain" | "null_ip",
|
"blocking_mode": "nxdomain" | "null_ip" | "custom_ip",
|
||||||
|
"blocking_ipv4": "1.2.3.4",
|
||||||
|
"blocking_ipv6": "1:2:3::4",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -832,13 +834,17 @@ Request:
|
||||||
{
|
{
|
||||||
"protection_enabled": true | false,
|
"protection_enabled": true | false,
|
||||||
"ratelimit": 1234,
|
"ratelimit": 1234,
|
||||||
"blocking_mode": "nxdomain" | "null_ip",
|
"blocking_mode": "nxdomain" | "null_ip" | "custom_ip",
|
||||||
|
"blocking_ipv4": "1.2.3.4",
|
||||||
|
"blocking_ipv6": "1:2:3::4",
|
||||||
}
|
}
|
||||||
|
|
||||||
Response:
|
Response:
|
||||||
|
|
||||||
200 OK
|
200 OK
|
||||||
|
|
||||||
|
`blocking_ipv4` and `blocking_ipv6` values are active when `blocking_mode` is set to `custom_ip`.
|
||||||
|
|
||||||
|
|
||||||
## DNS access settings
|
## DNS access settings
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -100,6 +100,11 @@ type FilteringConfig struct {
|
||||||
ProtectionEnabled bool `yaml:"protection_enabled"` // whether or not use any of dnsfilter features
|
ProtectionEnabled bool `yaml:"protection_enabled"` // whether or not use any of dnsfilter features
|
||||||
|
|
||||||
BlockingMode string `yaml:"blocking_mode"` // mode how to answer filtered requests
|
BlockingMode string `yaml:"blocking_mode"` // mode how to answer filtered requests
|
||||||
|
BlockingIPv4 string `yaml:"blocking_ipv4"` // IP address to be returned for a blocked A request
|
||||||
|
BlockingIPv6 string `yaml:"blocking_ipv6"` // IP address to be returned for a blocked AAAA request
|
||||||
|
BlockingIPAddrv4 net.IP `yaml:"-"`
|
||||||
|
BlockingIPAddrv6 net.IP `yaml:"-"`
|
||||||
|
|
||||||
BlockedResponseTTL uint32 `yaml:"blocked_response_ttl"` // if 0, then default is used (3600)
|
BlockedResponseTTL uint32 `yaml:"blocked_response_ttl"` // if 0, then default is used (3600)
|
||||||
Ratelimit uint32 `yaml:"ratelimit"` // max number of requests per second from a given IP (0 to disable)
|
Ratelimit uint32 `yaml:"ratelimit"` // max number of requests per second from a given IP (0 to disable)
|
||||||
RatelimitWhitelist []string `yaml:"ratelimit_whitelist"` // a list of whitelisted client IP addresses
|
RatelimitWhitelist []string `yaml:"ratelimit_whitelist"` // a list of whitelisted client IP addresses
|
||||||
|
|
@ -657,6 +662,14 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
|
||||||
case dns.TypeAAAA:
|
case dns.TypeAAAA:
|
||||||
return s.genAAAARecord(m, net.IPv6zero)
|
return s.genAAAARecord(m, net.IPv6zero)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
} else if s.conf.BlockingMode == "custom_ip" {
|
||||||
|
switch m.Question[0].Qtype {
|
||||||
|
case dns.TypeA:
|
||||||
|
return s.genARecord(m, s.conf.BlockingIPAddrv4)
|
||||||
|
case dns.TypeAAAA:
|
||||||
|
return s.genAAAARecord(m, s.conf.BlockingIPAddrv6)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return s.genNXDomain(m)
|
return s.genNXDomain(m)
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/AdguardTeam/dnsproxy/upstream"
|
"github.com/AdguardTeam/dnsproxy/upstream"
|
||||||
|
"github.com/AdguardTeam/golibs/jsonutil"
|
||||||
"github.com/AdguardTeam/golibs/log"
|
"github.com/AdguardTeam/golibs/log"
|
||||||
"github.com/AdguardTeam/golibs/utils"
|
"github.com/AdguardTeam/golibs/utils"
|
||||||
"github.com/miekg/dns"
|
"github.com/miekg/dns"
|
||||||
|
|
@ -24,6 +25,8 @@ type dnsConfigJSON struct {
|
||||||
ProtectionEnabled bool `json:"protection_enabled"`
|
ProtectionEnabled bool `json:"protection_enabled"`
|
||||||
RateLimit uint32 `json:"ratelimit"`
|
RateLimit uint32 `json:"ratelimit"`
|
||||||
BlockingMode string `json:"blocking_mode"`
|
BlockingMode string `json:"blocking_mode"`
|
||||||
|
BlockingIPv4 string `json:"blocking_ipv4"`
|
||||||
|
BlockingIPv6 string `json:"blocking_ipv6"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
|
func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
@ -31,6 +34,8 @@ func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
|
||||||
s.RLock()
|
s.RLock()
|
||||||
resp.ProtectionEnabled = s.conf.ProtectionEnabled
|
resp.ProtectionEnabled = s.conf.ProtectionEnabled
|
||||||
resp.BlockingMode = s.conf.BlockingMode
|
resp.BlockingMode = s.conf.BlockingMode
|
||||||
|
resp.BlockingIPv4 = s.conf.BlockingIPv4
|
||||||
|
resp.BlockingIPv6 = s.conf.BlockingIPv6
|
||||||
resp.RateLimit = s.conf.Ratelimit
|
resp.RateLimit = s.conf.Ratelimit
|
||||||
s.RUnlock()
|
s.RUnlock()
|
||||||
|
|
||||||
|
|
@ -43,27 +48,68 @@ func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
|
||||||
_, _ = w.Write(js)
|
_, _ = w.Write(js)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func checkBlockingMode(req dnsConfigJSON) bool {
|
||||||
|
bm := req.BlockingMode
|
||||||
|
if !(bm == "nxdomain" || bm == "null_ip" || bm == "custom_ip") {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if bm == "custom_ip" {
|
||||||
|
ip := net.ParseIP(req.BlockingIPv4)
|
||||||
|
if ip == nil || ip.To4() == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
ip = net.ParseIP(req.BlockingIPv6)
|
||||||
|
if ip == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
|
func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
|
||||||
req := dnsConfigJSON{}
|
req := dnsConfigJSON{}
|
||||||
err := json.NewDecoder(r.Body).Decode(&req)
|
js, err := jsonutil.DecodeObject(&req, r.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
httpError(r, w, http.StatusBadRequest, "json.Decode: %s", err)
|
httpError(r, w, http.StatusBadRequest, "json.Decode: %s", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !(req.BlockingMode == "nxdomain" || req.BlockingMode == "null_ip") {
|
if js.Exists("blocking_mode") && !checkBlockingMode(req) {
|
||||||
httpError(r, w, http.StatusBadRequest, "blocking_mode: value not supported")
|
httpError(r, w, http.StatusBadRequest, "blocking_mode: incorrect value")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
restart := false
|
restart := false
|
||||||
s.Lock()
|
s.Lock()
|
||||||
|
|
||||||
|
if js.Exists("protection_enabled") {
|
||||||
s.conf.ProtectionEnabled = req.ProtectionEnabled
|
s.conf.ProtectionEnabled = req.ProtectionEnabled
|
||||||
|
}
|
||||||
|
|
||||||
|
if js.Exists("blocking_mode") {
|
||||||
s.conf.BlockingMode = req.BlockingMode
|
s.conf.BlockingMode = req.BlockingMode
|
||||||
|
if req.BlockingMode == "custom_ip" {
|
||||||
|
if js.Exists("blocking_ipv4") {
|
||||||
|
s.conf.BlockingIPv4 = req.BlockingIPv4
|
||||||
|
s.conf.BlockingIPAddrv4 = net.ParseIP(req.BlockingIPv4)
|
||||||
|
}
|
||||||
|
if js.Exists("blocking_ipv6") {
|
||||||
|
s.conf.BlockingIPv6 = req.BlockingIPv6
|
||||||
|
s.conf.BlockingIPAddrv6 = net.ParseIP(req.BlockingIPv6)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if js.Exists("ratelimit") {
|
||||||
if s.conf.Ratelimit != req.RateLimit {
|
if s.conf.Ratelimit != req.RateLimit {
|
||||||
restart = true
|
restart = true
|
||||||
}
|
}
|
||||||
s.conf.Ratelimit = req.RateLimit
|
s.conf.Ratelimit = req.RateLimit
|
||||||
|
}
|
||||||
|
|
||||||
s.Unlock()
|
s.Unlock()
|
||||||
s.conf.ConfigModified()
|
s.conf.ConfigModified()
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue