Pull request: dnsforward: reply with appropriate block resp
Merge in DNS/adguard-home from access-proto-resp to master Squashed commit of the following: commit 9e78c002b31990d695c8dbd4561a3304a1827e3d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jul 20 13:16:44 2021 +0300 dnsforward: reply with appropriate block resp
This commit is contained in:
parent
0217c6ad11
commit
8e8f14aefb
|
@ -42,6 +42,8 @@ and this project adheres to
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
- Clients who are blocked by access settings now receive a `REFUSED` response
|
||||||
|
when a protocol other than DNS-over-UDP and DNSCrypt is used.
|
||||||
- `querylog_interval` setting is now formatted in hours.
|
- `querylog_interval` setting is now formatted in hours.
|
||||||
- Query log search now supports internationalized domains ([#3012]).
|
- Query log search now supports internationalized domains ([#3012]).
|
||||||
- Internationalized domains are now shown decoded in the query log with the
|
- Internationalized domains are now shown decoded in the query log with the
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
|
||||||
go 1.16
|
go 1.16
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/AdguardTeam/dnsproxy v0.38.2
|
github.com/AdguardTeam/dnsproxy v0.38.3
|
||||||
github.com/AdguardTeam/golibs v0.8.0
|
github.com/AdguardTeam/golibs v0.8.0
|
||||||
github.com/AdguardTeam/urlfilter v0.14.6
|
github.com/AdguardTeam/urlfilter v0.14.6
|
||||||
github.com/NYTimes/gziphandler v1.1.1
|
github.com/NYTimes/gziphandler v1.1.1
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -9,8 +9,8 @@ dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D
|
||||||
git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
|
git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
|
||||||
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk=
|
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk=
|
||||||
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
|
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
|
||||||
github.com/AdguardTeam/dnsproxy v0.38.2 h1:QHxvShAm4GwH0PyRN60xf18+5nAzmbvhPoEvhfVycSA=
|
github.com/AdguardTeam/dnsproxy v0.38.3 h1:DvycTEOn2wuHmY+HE5XL4EnCV2EVbpREpbgZB06IJ0I=
|
||||||
github.com/AdguardTeam/dnsproxy v0.38.2/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
|
github.com/AdguardTeam/dnsproxy v0.38.3/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
|
||||||
github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
||||||
github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
||||||
github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0=
|
github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0=
|
||||||
|
|
|
@ -27,7 +27,7 @@ func (s *Server) beforeRequestHandler(
|
||||||
|
|
||||||
blocked, _ := s.IsBlockedClient(ip, clientID)
|
blocked, _ := s.IsBlockedClient(ip, clientID)
|
||||||
if blocked {
|
if blocked {
|
||||||
return false, nil
|
return s.preBlockedResponse(pctx)
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(pctx.Req.Question) == 1 {
|
if len(pctx.Req.Question) == 1 {
|
||||||
|
@ -35,7 +35,7 @@ func (s *Server) beforeRequestHandler(
|
||||||
if s.access.isBlockedHost(host) {
|
if s.access.isBlockedHost(host) {
|
||||||
log.Debug("host %s is in access blocklist", host)
|
log.Debug("host %s is in access blocklist", host)
|
||||||
|
|
||||||
return false, nil
|
return s.preBlockedResponse(pctx)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -266,6 +266,20 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo
|
||||||
return resp
|
return resp
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// preBlockedResponse returns a protocol-appropriate response for a request that
|
||||||
|
// was blocked by access settings.
|
||||||
|
func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (reply bool, err error) {
|
||||||
|
if pctx.Proto == proxy.ProtoUDP || pctx.Proto == proxy.ProtoDNSCrypt {
|
||||||
|
// Return nil so that dnsproxy drops the connection and thus
|
||||||
|
// prevent DNS amplification attacks.
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
pctx.Res = s.makeResponseREFUSED(pctx.Req)
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
// Create REFUSED DNS response
|
// Create REFUSED DNS response
|
||||||
func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
|
func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
|
||||||
resp := dns.Msg{}
|
resp := dns.Msg{}
|
||||||
|
|
Loading…
Reference in New Issue