Pull request: dnsforward: reply with appropriate block resp

Merge in DNS/adguard-home from access-proto-resp to master

Squashed commit of the following:

commit 9e78c002b31990d695c8dbd4561a3304a1827e3d
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Tue Jul 20 13:16:44 2021 +0300

    dnsforward: reply with appropriate block resp
This commit is contained in:
Ainar Garipov 2021-07-20 14:45:08 +03:00
parent 0217c6ad11
commit 8e8f14aefb
5 changed files with 21 additions and 5 deletions

View File

@ -42,6 +42,8 @@ and this project adheres to
### Changed ### Changed
- Clients who are blocked by access settings now receive a `REFUSED` response
when a protocol other than DNS-over-UDP and DNSCrypt is used.
- `querylog_interval` setting is now formatted in hours. - `querylog_interval` setting is now formatted in hours.
- Query log search now supports internationalized domains ([#3012]). - Query log search now supports internationalized domains ([#3012]).
- Internationalized domains are now shown decoded in the query log with the - Internationalized domains are now shown decoded in the query log with the

2
go.mod
View File

@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
go 1.16 go 1.16
require ( require (
github.com/AdguardTeam/dnsproxy v0.38.2 github.com/AdguardTeam/dnsproxy v0.38.3
github.com/AdguardTeam/golibs v0.8.0 github.com/AdguardTeam/golibs v0.8.0
github.com/AdguardTeam/urlfilter v0.14.6 github.com/AdguardTeam/urlfilter v0.14.6
github.com/NYTimes/gziphandler v1.1.1 github.com/NYTimes/gziphandler v1.1.1

4
go.sum
View File

@ -9,8 +9,8 @@ dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D
git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk= github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk=
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI= github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
github.com/AdguardTeam/dnsproxy v0.38.2 h1:QHxvShAm4GwH0PyRN60xf18+5nAzmbvhPoEvhfVycSA= github.com/AdguardTeam/dnsproxy v0.38.3 h1:DvycTEOn2wuHmY+HE5XL4EnCV2EVbpREpbgZB06IJ0I=
github.com/AdguardTeam/dnsproxy v0.38.2/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0= github.com/AdguardTeam/dnsproxy v0.38.3/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0= github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0=

View File

@ -27,7 +27,7 @@ func (s *Server) beforeRequestHandler(
blocked, _ := s.IsBlockedClient(ip, clientID) blocked, _ := s.IsBlockedClient(ip, clientID)
if blocked { if blocked {
return false, nil return s.preBlockedResponse(pctx)
} }
if len(pctx.Req.Question) == 1 { if len(pctx.Req.Question) == 1 {
@ -35,7 +35,7 @@ func (s *Server) beforeRequestHandler(
if s.access.isBlockedHost(host) { if s.access.isBlockedHost(host) {
log.Debug("host %s is in access blocklist", host) log.Debug("host %s is in access blocklist", host)
return false, nil return s.preBlockedResponse(pctx)
} }
} }

View File

@ -266,6 +266,20 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo
return resp return resp
} }
// preBlockedResponse returns a protocol-appropriate response for a request that
// was blocked by access settings.
func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (reply bool, err error) {
if pctx.Proto == proxy.ProtoUDP || pctx.Proto == proxy.ProtoDNSCrypt {
// Return nil so that dnsproxy drops the connection and thus
// prevent DNS amplification attacks.
return false, nil
}
pctx.Res = s.makeResponseREFUSED(pctx.Req)
return true, nil
}
// Create REFUSED DNS response // Create REFUSED DNS response
func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg { func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
resp := dns.Msg{} resp := dns.Msg{}