Merge: -(dnsforward): fix client settings for CNAME matching
fix #1274 * commit '5077f1a2b31056e184156ce9602e2428c7676acb': -(dnsforward): fix client settings for CNAME matching
This commit is contained in:
commit
7c0cf641db
|
@ -593,22 +593,28 @@ func (s *Server) updateStats(d *proxy.DNSContext, elapsed time.Duration, res dns
|
||||||
s.stats.Update(e)
|
s.stats.Update(e)
|
||||||
}
|
}
|
||||||
|
|
||||||
// filterDNSRequest applies the dnsFilter and sets d.Res if the request was filtered
|
// getClientRequestFilteringSettings lookups client filtering settings
|
||||||
func (s *Server) filterDNSRequest(d *proxy.DNSContext) (*dnsfilter.Result, error) {
|
// using the client's IP address from the DNSContext
|
||||||
if !s.conf.ProtectionEnabled || s.dnsFilter == nil {
|
func (s *Server) getClientRequestFilteringSettings(d *proxy.DNSContext) *dnsfilter.RequestFilteringSettings {
|
||||||
return &dnsfilter.Result{}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
setts := s.dnsFilter.GetConfig()
|
setts := s.dnsFilter.GetConfig()
|
||||||
setts.FilteringEnabled = true
|
setts.FilteringEnabled = true
|
||||||
if s.conf.FilterHandler != nil {
|
if s.conf.FilterHandler != nil {
|
||||||
clientAddr := ipFromAddr(d.Addr)
|
clientAddr := ipFromAddr(d.Addr)
|
||||||
s.conf.FilterHandler(clientAddr, &setts)
|
s.conf.FilterHandler(clientAddr, &setts)
|
||||||
}
|
}
|
||||||
|
return &setts
|
||||||
|
}
|
||||||
|
|
||||||
|
// filterDNSRequest applies the dnsFilter and sets d.Res if the request was filtered
|
||||||
|
func (s *Server) filterDNSRequest(d *proxy.DNSContext) (*dnsfilter.Result, error) {
|
||||||
|
if !s.conf.ProtectionEnabled || s.dnsFilter == nil {
|
||||||
|
return &dnsfilter.Result{}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
setts := s.getClientRequestFilteringSettings(d)
|
||||||
req := d.Req
|
req := d.Req
|
||||||
host := strings.TrimSuffix(req.Question[0].Name, ".")
|
host := strings.TrimSuffix(req.Question[0].Name, ".")
|
||||||
res, err := s.dnsFilter.CheckHost(host, d.Req.Question[0].Qtype, &setts)
|
res, err := s.dnsFilter.CheckHost(host, d.Req.Question[0].Qtype, setts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Return immediately if there's an error
|
// Return immediately if there's an error
|
||||||
return nil, errorx.Decorate(err, "dnsfilter failed to check host '%s'", host)
|
return nil, errorx.Decorate(err, "dnsfilter failed to check host '%s'", host)
|
||||||
|
@ -631,7 +637,6 @@ func (s *Server) filterDNSRequest(d *proxy.DNSContext) (*dnsfilter.Result, error
|
||||||
a := s.genAAnswer(req, ip)
|
a := s.genAAnswer(req, ip)
|
||||||
a.Hdr.Name = dns.Fqdn(name)
|
a.Hdr.Name = dns.Fqdn(name)
|
||||||
resp.Answer = append(resp.Answer, a)
|
resp.Answer = append(resp.Answer, a)
|
||||||
|
|
||||||
} else if req.Question[0].Qtype == dns.TypeAAAA {
|
} else if req.Question[0].Qtype == dns.TypeAAAA {
|
||||||
a := s.genAAAAAnswer(req, ip)
|
a := s.genAAAAAnswer(req, ip)
|
||||||
a.Hdr.Name = dns.Fqdn(name)
|
a.Hdr.Name = dns.Fqdn(name)
|
||||||
|
@ -675,9 +680,8 @@ func (s *Server) filterResponse(d *proxy.DNSContext) (*dnsfilter.Result, error)
|
||||||
s.RUnlock()
|
s.RUnlock()
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
setts := dnsfilter.RequestFilteringSettings{}
|
setts := s.getClientRequestFilteringSettings(d)
|
||||||
setts.FilteringEnabled = true
|
res, err := s.dnsFilter.CheckHost(host, d.Req.Question[0].Qtype, setts)
|
||||||
res, err := s.dnsFilter.CheckHost(host, d.Req.Question[0].Qtype, &setts)
|
|
||||||
s.RUnlock()
|
s.RUnlock()
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -384,6 +384,30 @@ func TestBlockCNAME(t *testing.T) {
|
||||||
_ = s.Stop()
|
_ = s.Stop()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestClientRulesForCNAMEMatching(t *testing.T) {
|
||||||
|
s := createTestServer(t)
|
||||||
|
testUpstm := &testUpstream{testCNAMEs, testIPv4, nil}
|
||||||
|
s.conf.FilterHandler = func(clientAddr string, settings *dnsfilter.RequestFilteringSettings) {
|
||||||
|
settings.FilteringEnabled = false
|
||||||
|
}
|
||||||
|
err := s.startWithUpstream(testUpstm)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
addr := s.dnsProxy.Addr(proxy.ProtoUDP)
|
||||||
|
|
||||||
|
// 'badhost' has a canonical name 'null.example.org' which is blocked by filters:
|
||||||
|
// response is blocked
|
||||||
|
req := dns.Msg{}
|
||||||
|
req.Id = dns.Id()
|
||||||
|
req.Question = []dns.Question{
|
||||||
|
{Name: "badhost.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
|
||||||
|
}
|
||||||
|
// However, in our case it should not be blocked
|
||||||
|
// as filtering is disabled on the client level
|
||||||
|
reply, err := dns.Exchange(&req, addr.String())
|
||||||
|
assert.Nil(t, err)
|
||||||
|
assert.Equal(t, dns.RcodeSuccess, reply.Rcode)
|
||||||
|
}
|
||||||
|
|
||||||
func TestNullBlockedRequest(t *testing.T) {
|
func TestNullBlockedRequest(t *testing.T) {
|
||||||
s := createTestServer(t)
|
s := createTestServer(t)
|
||||||
s.conf.FilteringConfig.BlockingMode = "null_ip"
|
s.conf.FilteringConfig.BlockingMode = "null_ip"
|
||||||
|
@ -563,7 +587,11 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func createTestServer(t *testing.T) *Server {
|
func createTestServer(t *testing.T) *Server {
|
||||||
rules := "||nxdomain.example.org^\n||null.example.org^\n127.0.0.1 host.example.org\n@@||whitelist.example.org^\n||127.0.0.255\n"
|
rules := `||nxdomain.example.org
|
||||||
|
||null.example.org^
|
||||||
|
127.0.0.1 host.example.org
|
||||||
|
@@||whitelist.example.org^
|
||||||
|
||127.0.0.255`
|
||||||
filters := map[int]string{}
|
filters := map[int]string{}
|
||||||
filters[0] = rules
|
filters[0] = rules
|
||||||
c := dnsfilter.Config{}
|
c := dnsfilter.Config{}
|
||||||
|
|
Loading…
Reference in New Issue