a/badguardhome
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

* DNS: set default blocking mode to Null IP for A/AAAA, empty response for others

Browse Source 
Close #1914

Squashed commit of the following:

commit cb127a9a409b2f228848fb838535f3db6e9d32a9
Author: Simon Zolin <s.zolin@adguard.com>
Date:   Fri Oct 2 12:37:11 2020 +0300

    return empty response if not A/AAAA qtype

commit 175a736d7d69619022db92a9250c382ad7fc9996
Author: Simon Zolin <s.zolin@adguard.com>
Date:   Fri Oct 2 12:21:51 2020 +0300

    fix

commit 03aab89d2da00ede3aad6eb5a5bb2d545444a186
Author: Simon Zolin <s.zolin@adguard.com>
Date:   Fri Oct 2 12:18:11 2020 +0300

    fix tests

commit 4225d511df910aae2df4651231c01a8a13bb937f
Author: Simon Zolin <s.zolin@adguard.com>
Date:   Fri Oct 2 12:02:11 2020 +0300

    * DNS: set default blocking mode to Null IP for A/AAAA, NXDOMAIN for others
This commit is contained in:
Simon Zolin 2020-10-02 12:51:55 +03:00
parent 128229ad73
commit 69a740714f
4 changed files with 29 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client/src/__locales/en.json
View File

@ -257,7 +257,7 @@
"rate_limit_desc": "The number of requests per second that a single client is allowed to make (setting it to 0 means unlimited)", "rate_limit_desc": "The number of requests per second that a single client is allowed to make (setting it to 0 means unlimited)",
"blocking_ipv4_desc": "IP address to be returned for a blocked A request", "blocking_ipv4_desc": "IP address to be returned for a blocked A request",
"blocking_ipv6_desc": "IP address to be returned for a blocked AAAA request", "blocking_ipv6_desc": "IP address to be returned for a blocked AAAA request",
"blocking_mode_default": "Default: Respond with REFUSED when blocked by Adblock-style rule; respond with the IP address specified in the rule when blocked by /etc/hosts-style rule", "blocking_mode_default": "Default: Respond with zero IP address (0.0.0.0 for A; :: for AAAA) when blocked by Adblock-style rule; respond with the IP address specified in the rule when blocked by /etc/hosts-style rule",
"blocking_mode_refused": "REFUSED: Respond with REFUSED code", "blocking_mode_refused": "REFUSED: Respond with REFUSED code",
"blocking_mode_nxdomain": "NXDOMAIN: Respond with NXDOMAIN code", "blocking_mode_nxdomain": "NXDOMAIN: Respond with NXDOMAIN code",
"blocking_mode_null_ip": "Null IP: Respond with zero IP address (0.0.0.0 for A; :: for AAAA)", "blocking_mode_null_ip": "Null IP: Respond with zero IP address (0.0.0.0 for A; :: for AAAA)",

11
dnsforward/dnsforward_test.go
View File

@ -267,7 +267,7 @@ func TestBlockedRequest(t *testing.T) {
addr := s.dnsProxy.Addr(proxy.ProtoUDP) addr := s.dnsProxy.Addr(proxy.ProtoUDP)
// //
// Default blocking - REFUSED // Default blocking - NULL IP
// //
req := dns.Msg{} req := dns.Msg{}
req.Id = dns.Id() req.Id = dns.Id()
@ -280,7 +280,8 @@ func TestBlockedRequest(t *testing.T) {
if err != nil { if err != nil {
t.Fatalf("Couldn't talk to server %s: %s", addr, err) t.Fatalf("Couldn't talk to server %s: %s", addr, err)
} }
assert.Equal(t, dns.RcodeRefused, reply.Rcode) assert.Equal(t, dns.RcodeSuccess, reply.Rcode)
assert.True(t, reply.Answer[0].(*dns.A).A.Equal(net.ParseIP("0.0.0.0")))
err = s.Stop() err = s.Stop()
if err != nil { if err != nil {
@ -442,7 +443,8 @@ func TestBlockCNAME(t *testing.T) {
req := createTestMessage("badhost.") req := createTestMessage("badhost.")
reply, err := dns.Exchange(req, addr.String()) reply, err := dns.Exchange(req, addr.String())
assert.Nil(t, err, nil) assert.Nil(t, err, nil)
assert.Equal(t, dns.RcodeRefused, reply.Rcode) assert.Equal(t, dns.RcodeSuccess, reply.Rcode)
assert.True(t, reply.Answer[0].(*dns.A).A.Equal(net.ParseIP("0.0.0.0")))
// 'whitelist.example.org' has a canonical name 'null.example.org' which is blocked by filters // 'whitelist.example.org' has a canonical name 'null.example.org' which is blocked by filters
// but 'whitelist.example.org' is in a whitelist: // but 'whitelist.example.org' is in a whitelist:
@ -457,7 +459,8 @@ func TestBlockCNAME(t *testing.T) {
req = createTestMessage("example.org.") req = createTestMessage("example.org.")
reply, err = dns.Exchange(req, addr.String()) reply, err = dns.Exchange(req, addr.String())
assert.Nil(t, err) assert.Nil(t, err)
assert.Equal(t, dns.RcodeRefused, reply.Rcode) assert.Equal(t, dns.RcodeSuccess, reply.Rcode)
assert.True(t, reply.Answer[0].(*dns.A).A.Equal(net.ParseIP("0.0.0.0")))
_ = s.Stop() _ = s.Stop()
} }

3
dnsforward/handle_dns.go
View File

@ -86,9 +86,10 @@ func processInitial(ctx *dnsContext) int {
} }
// disable Mozilla DoH // disable Mozilla DoH
// https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
if (d.Req.Question[0].Qtype == dns.TypeA || d.Req.Question[0].Qtype == dns.TypeAAAA) && if (d.Req.Question[0].Qtype == dns.TypeA || d.Req.Question[0].Qtype == dns.TypeAAAA) &&
d.Req.Question[0].Name == "use-application-dns.net." { d.Req.Question[0].Name == "use-application-dns.net." {
d.Res = s.makeResponseREFUSED(d.Req) d.Res = s.genNXDomain(d.Req)
return resultFinish return resultFinish
} }

29
dnsforward/msg.go
View File

@ -24,7 +24,10 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
m := d.Req m := d.Req
if m.Question[0].Qtype != dns.TypeA && m.Question[0].Qtype != dns.TypeAAAA { if m.Question[0].Qtype != dns.TypeA && m.Question[0].Qtype != dns.TypeAAAA {
return s.makeResponseREFUSED(m) if s.conf.BlockingMode == "null_ip" {
return s.makeResponse(m)
}
return s.genNXDomain(m)
} }
switch result.Reason { switch result.Reason {
@ -42,13 +45,7 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
if s.conf.BlockingMode == "null_ip" { if s.conf.BlockingMode == "null_ip" {
// it means that we should return 0.0.0.0 or :: for any blocked request // it means that we should return 0.0.0.0 or :: for any blocked request
return s.makeResponseNullIP(m)
switch m.Question[0].Qtype {
case dns.TypeA:
return s.genARecord(m, []byte{0, 0, 0, 0})
case dns.TypeAAAA:
return s.genAAAARecord(m, net.IPv6zero)
}
} else if s.conf.BlockingMode == "custom_ip" { } else if s.conf.BlockingMode == "custom_ip" {
// means that we should return custom IP for any blocked request // means that we should return custom IP for any blocked request
@ -73,11 +70,12 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
// Default blocking mode // Default blocking mode
// If there's an IP specified in the rule, return it // If there's an IP specified in the rule, return it
// If there is no IP, return REFUSED // For host-type rules, return null IP
if result.IP != nil { if result.IP != nil {
return s.genResponseWithIP(m, result.IP) return s.genResponseWithIP(m, result.IP)
} }
return s.makeResponseREFUSED(m)
return s.makeResponseNullIP(m)
} }
} }
@ -138,6 +136,17 @@ func (s *Server) genResponseWithIP(req *dns.Msg, ip net.IP) *dns.Msg {
return resp return resp
} }
// Respond with 0.0.0.0 for A, :: for AAAA, empty response for other types
func (s *Server) makeResponseNullIP(req *dns.Msg) *dns.Msg {
if req.Question[0].Qtype == dns.TypeA {
return s.genARecord(req, []byte{0, 0, 0, 0})
} else if req.Question[0].Qtype == dns.TypeAAAA {
return s.genAAAARecord(req, net.IPv6zero)
}
return s.makeResponse(req)
}
func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSContext) *dns.Msg { func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSContext) *dns.Msg {
ip := net.ParseIP(newAddr) ip := net.ParseIP(newAddr)